gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-06 04:41:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.59.1
Branches Tags
gitea-mirror:main gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:dependabot/go_modules/common-cc771e60f7 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/docker-27a0fd26b0 gitea-mirror:dependabot/go_modules/aws-180b2af62a gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
...
compare: gitea-mirror:v0.61.0
Branches Tags
gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:dependabot/go_modules/common-cc771e60f7 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/go_modules/docker-27a0fd26b0 gitea-mirror:dependabot/go_modules/aws-180b2af62a gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

99 Commits
v0.59.1 ... v0.61.0

Author SHA1 Message Date
Aqua Security automated builds
7f41822d4f release: v0.61.0 [main] (#8507) 2025-03-28 06:30:43 +00:00
simar7
5b7704d1d0 fix(misconf): Improve logging for unsupported checks (#8634) 2025-03-28 05:20:57 +00:00
afdesk
1bf0117f77 feat(k8s): add support for controllers (#8614) 2025-03-27 20:58:14 +00:00
DmitriyLewen
346f5b3553 fix(debian): don't include empty licenses for dpkgs (#8623) 2025-03-27 20:50:59 +00:00
simar7
ad58cf4457 fix(misconf): Check values wholly prior to evalution (#8604) 2025-03-27 07:19:31 +00:00
simar7
c76764ef5d chore(deps): Bump trivy-checks (#8619) 2025-03-27 07:11:45 +00:00
DmitriyLewen
dbb6f28871 fix(k8s): show report for --report all (#8613) 2025-03-27 06:01:50 +00:00
dependabot[bot]
548a340075 chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-27 02:03:24 +00:00
Teppei Fukuda
c80310d769 refactor: rename scanner to service (#8584) 2025-03-23 23:47:03 +00:00
Nikita Pivkin
de7eb13938 fix(misconf): do not skip loading documents from subdirectories (#8526) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-22 06:01:04 +00:00
Nikita Pivkin
f07030daf2 refactor(misconf): get a block or attribute without calling HasChild (#8586) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-22 02:48:34 +00:00
Nikita Pivkin
ba77dbe5f9 fix(misconf): identify the chart file exactly by name (#8590) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-22 01:07:41 +00:00
Nikita Pivkin
7bafdcaaf9 test: use table-driven tests in Helm scanner tests (#8592) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: Simar <simar@linux.com>
 2025-03-22 00:49:36 +00:00
simar7
68b164ddf4 refactor(misconf): Simplify misconfig checks bundle parsing (#8533) 2025-03-21 22:38:26 +00:00
dependabot[bot]
8e1019d82c chore(deps): bump the common group across 1 directory with 10 updates (#8566) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-20 13:58:42 +00:00
Nikita Pivkin
400a79c2c6 fix(misconf): do not use cty.NilVal for non-nil values (#8567) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-19 19:19:39 +00:00
Teppei Fukuda
fe400ea55f docs(cli): improve flag value display format (#8560) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2025-03-18 09:30:53 +00:00
Nikita Pivkin
1f05b4545d fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-17 20:13:42 +00:00
Itay Shakury
6973da6f5e docs: remove slack (#8565) 2025-03-17 12:43:59 +00:00
DmitriyLewen
8b88238f07 fix: use --file-patterns flag for all post analyzers (#7365) 2025-03-17 10:12:10 +00:00
Konstantin Gukov
e8c32dedaa docs(python): Mention pip-compile (#8484) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2025-03-17 02:45:01 +00:00
Nikita Pivkin
9913465a53 feat(misconf): adapt aws_opensearch_domain (#8550) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-15 05:49:04 +00:00
Nikita Pivkin
0d9865f48f feat(misconf): adapt AWS::EC2::VPC (#8534) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-14 04:52:05 +00:00
Teppei Fukuda
9bedd989a9 docs: fix a broken link (#8546) 2025-03-13 12:07:11 +00:00
DmitriyLewen
c22830766e fix(fs): check postAnalyzers for StaticPaths (#8543) 2025-03-13 11:36:24 +00:00
Nikita Pivkin
126d6cd033 refactor(misconf): remove unused methods for ec2.Instance (#8536) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-13 06:43:38 +00:00
Nikita Pivkin
b57eccb09c feat(misconf): adapt aws_default_security_group (#8538) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-13 06:42:30 +00:00
Teppei Fukuda
8bf6caf98e feat(fs): optimize scanning performance by direct file access for known paths (#8525) 2025-03-13 04:29:42 +00:00
Nikita Pivkin
8112cdf8d6 feat(misconf): adapt AWS::DynamoDB::Table (#8529) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-11 21:21:14 +00:00
Asgeir Storesund Nilsen
124e161669 style: Fix MD syntax in self-hosting.md (#8523) 2025-03-11 07:17:05 +00:00
Nikita Pivkin
7b96351c32 perf(misconf): retrieve check metadata from annotations once (#8478) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-11 04:52:56 +00:00
simar7
573502e2e8 feat(misconf): Add support for aws_ami (#8499) 
Signed-off-by: Simar <simar@linux.com>
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-11 03:26:25 +00:00
Nikita Pivkin
c7814f1401 fix(misconf): skip Azure CreateUiDefinition (#8503) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-11 00:45:15 +00:00
Nikita Pivkin
19e2c10e89 refactor(misconf): use OPA v1 (#8518) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-11 00:36:13 +00:00
Nikita Pivkin
41512f846e fix(misconf): add ephemeral block type to config schema (#8513) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-11 00:23:41 +00:00
Nikita Pivkin
0e5e909765 perf(misconf): parse input for Rego once (#8483) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-08 07:49:24 +00:00
Teppei Fukuda
529957eac1 feat: replace TinyGo with standard Go for WebAssembly modules (#8496) 2025-03-07 10:10:15 +00:00
Teppei Fukuda
fe09410ed4 chore: replace deprecated tenv linter with usetesting (#8504) 2025-03-06 12:26:20 +00:00
DmitriyLewen
e5072f1eef fix(spdx): save text licenses into otherLicenses without normalize (#8502) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2025-03-06 11:52:01 +00:00
dependabot[bot]
a93056133b chore(deps): bump the common group across 1 directory with 13 updates (#8491) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-06 06:02:34 +00:00
Teppei Fukuda
463b11731c chore: use go.mod for managing Go tools (#8493) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2025-03-05 11:57:29 +00:00
Aqua Security automated builds
2998dcdf07 ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494) 
Co-authored-by: GitHub Actions <actions@github.com>
 2025-03-05 11:01:13 +00:00
Aqua Security automated builds
a4009f62fd release: v0.60.0 [main] (#8327) 2025-03-05 09:45:10 +00:00
DmitriyLewen
85cca8c07a fix(sbom): improve logic for binding direct dependency to parent component (#8489) 2025-03-05 09:08:46 +00:00
DmitriyLewen
9892d040bc chore(deps): remove missed replace of trivy-db (#8492) 2025-03-05 07:48:17 +00:00
dependabot[bot]
8a89b2b759 chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-05 07:39:44 +00:00
Teppei Fukuda
57b08d62de chore(deps): update Go to 1.24 and switch to go-version-file (#8388) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2025-03-05 06:40:42 +00:00
Teppei Fukuda
453c66dd30 docs: add abbreviation list (#8453) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2025-03-05 03:14:44 +00:00
Steven Masley
f670602091 chore(terraform): assign *terraform.Module 'parent' field (#8444) 2025-03-05 02:23:09 +00:00
Teppei Fukuda
dd54f80d3f feat: add report summary table (#8177) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-03-04 09:26:06 +00:00
dependabot[bot]
ab1cf03a9d chore(deps): bump the github-actions group with 3 updates (#8473) 
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-04 03:28:23 +00:00
Teppei Fukuda
1f85b27773 refactor(vex): improve SBOM reference handling with project standards (#8457) 2025-03-03 12:57:13 +00:00
Teppei Fukuda
da0b8760e5 ci: update GitHub Actions cache to v4 (#8475) 2025-03-03 12:52:54 +00:00
DmitriyLewen
d464807321 feat: add --vuln-severity-source flag (#8269) 2025-03-03 10:59:30 +00:00
afdesk
6b4cebe959 fix(os): add mapping OS aliases (#8466) 2025-03-03 10:04:51 +00:00
dependabot[bot]
af1ea64f73 chore(deps): bump the aws group across 1 directory with 7 updates (#8468) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-03-03 10:03:23 +00:00
simar7
09cdae6639 chore(deps): Bump trivy-checks to v1.7.1 (#8467) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-03-03 06:03:16 +00:00
DmitriyLewen
3d3a3d6f19 refactor(report): write tables after rendering all results (#8357) 2025-03-02 11:02:36 +00:00
Thomas Grininger
036ab75434 docs: update VEX documentation index page (#8458) 2025-02-28 10:13:17 +00:00
DmitriyLewen
bb3cca6018 fix(db): fix case when 2 trivy-db were copied at the same time (#8452) 2025-02-28 10:11:27 +00:00
Nikita Pivkin
a99498cdd9 feat(misconf): render causes for Terraform (#8360) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-02-28 07:01:01 +00:00
Nikita Pivkin
a994453a7d fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-02-27 19:36:42 +00:00
Thomas Grininger
4820eb70fc feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254) 2025-02-27 07:21:09 +00:00
Tom Fay
3840d90f85 chore(deps): update go-rustaudit location (#8450) 
Signed-off-by: Tom Fay <tom@teamfay.co.uk>
 2025-02-27 03:03:33 +00:00
Itay Shakury
49456ba841 fix: update all documentation links (#8045) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-02-26 10:41:46 +00:00
dependabot[bot]
b3521e87b2 chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-26 06:33:37 +00:00
dependabot[bot]
50364b836f chore(deps): bump the common group with 6 updates (#8411) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-25 10:36:26 +00:00
afdesk
f987e41574 fix(k8s): add missed option PkgRelationships (#8442) 2025-02-24 23:34:18 +00:00
DmitriyLewen
ecc01bb3fb fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346) 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2025-02-24 11:28:20 +00:00
Maksim Nabokikh
e58dcfcf9f feat(go): fix parsing main module version for go >= 1.24 (#8433) 
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-02-24 11:22:13 +00:00
Nikita Pivkin
9c609c44a3 refactor(misconf): make Rego scanner independent of config type (#7517) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-02-21 22:56:12 +00:00
Nikita Pivkin
a3cd693a5e fix(image): disable AVD-DS-0007 for history scanning (#8366) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-02-21 19:56:53 +00:00
iamtraining
a1c4bd746f fix(server): secrets inspectation for the config analyzer in client server mode (#8418) 2025-02-19 09:31:44 +00:00
Teppei Fukuda
613fc71347 chore: remove mockery (#8417) 2025-02-18 12:52:53 +00:00
Teppei Fukuda
e9b3f0b79c test(server): replace mock driver with memory cache in server tests (#8416) 2025-02-18 07:28:11 +00:00
Teppei Fukuda
10b812710b test: replace mock with memory cache and fix non-deterministic tests (#8410) 2025-02-18 05:56:49 +00:00
Teppei Fukuda
5ed6fc67f5 test: replace mock with memory cache in scanner tests (#8413) 2025-02-18 04:50:54 +00:00
Teppei Fukuda
24d0e2bf2d test: use memory cache (#8403) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-02-17 07:15:32 +00:00
DmitriyLewen
72ea4b0632 fix(spdx): init pkgFilePaths map for all formats (#8380) 2025-02-17 07:10:22 +00:00
dependabot[bot]
9637286de4 chore(deps): bump the common group across 1 directory with 11 updates (#8381) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-17 07:09:36 +00:00
Florian Heberl
a3a68c610f docs: correct Ruby documentation (#8402) 2025-02-14 10:33:47 +00:00
DmitriyLewen
3e503a0cc2 chore: bump mockery to update v2.52.2 version and rebuild mock files (#8390) 2025-02-14 07:00:18 +00:00
DmitriyLewen
8715e5d14a fix: don't use scope for trivy registry login command (#8393) 2025-02-13 11:44:16 +00:00
DmitriyLewen
b675b06e89 fix(go): merge nested flags into string for ldflags for Go binaries (#8368) 2025-02-13 08:16:14 +00:00
Steven Masley
f9c5043dee chore(terraform): export module path on terraform modules (#8374) 2025-02-11 05:33:52 +00:00
Steven Masley
398620b471 fix(terraform): apply parser options to submodule parsing (#8377) 2025-02-11 05:31:39 +00:00
Greg M
02ebb4cb89 docs: Fix typos in documentation (#8361) 2025-02-06 06:38:25 +00:00
Guspan Tanadi
7b10defaa8 docs: fix navigate links (#8336) 2025-02-06 00:33:15 +00:00
Aqua Security automated builds
04c80a64af ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354) 
Co-authored-by: afdesk <work@afdesk.com>
 2025-02-05 10:06:50 +00:00
DmitriyLewen
f7b3f87dd5 ci(spdx): add aqua-installer step to fix mage error (#8353) 2025-02-05 08:45:54 +00:00
Nikita Pivkin
ffa30235f0 chore: remove debug prints (#8347) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-02-04 12:57:08 +00:00
Nikita Pivkin
5695eb22df fix(misconf): do not log scanners when misconfig scanning is disabled (#8345) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-02-04 10:44:39 +00:00
DmitriyLewen
3eb0b03f7c fix(report): remove html escaping for shortDescription and fullDescription fields for sarif reports (#8344) 2025-02-04 10:27:26 +00:00
DmitriyLewen
3e13633615 chore(deps): bump Go to v1.23.5 (#8341) 2025-02-04 06:12:45 +00:00
DmitriyLewen
10cd98cf55 fix(python): add poetry v2 support (#8323) 
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-02-03 08:22:12 +00:00
dependabot[bot]
9b74384842 chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-02-03 05:54:06 +00:00
Michael Foley
39789fff43 fix(misconf): ecs include enhanced for container insights (#8326) 
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
 2025-01-31 19:06:33 +00:00
Teppei Fukuda
bd5baaf930 fix(sbom): preserve OS packages from multiple SBOMs (#8325) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-01-31 12:04:24 +00:00
Aqua Security automated builds
1d5ab92c7c ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311) 
Co-authored-by: GitHub Actions <actions@github.com>
 2025-01-30 10:27:39 +00:00
522 changed files with 17030 additions and 10802 deletions
Expand all files Collapse all files

4
.github/DISCUSSION_TEMPLATE/bugs.yml vendored
View File

@@ -10,7 +10,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description
@@ -117,7 +117,7 @@ body:
description: Have you tried the following?
options:
- label: Run `trivy clean --all`
- label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
- label: Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)
- type: markdown
attributes:
value: |

2
.github/DISCUSSION_TEMPLATE/documentation.yml vendored
View File

@@ -7,7 +7,7 @@ body:
Feel free to create a docs report if something doesn't work as expected or is unclear in the documentation.
Please ensure that you're not creating a duplicate report by searching the [issues](https://github.com/aquasecurity/trivy/issues)/[discussions](https://github.com/aquasecurity/trivy/discussions) beforehand.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description

4
.github/DISCUSSION_TEMPLATE/false-detection.yml vendored
View File

@@ -8,7 +8,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
- type: input
attributes:
label: IDs
@@ -86,7 +86,7 @@ body:
attributes:
label: Checklist
options:
- label: Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- label: Read [the documentation regarding wrong detection](https://trivy.dev/dev/community/contribute/discussion/#false-detection)
- label: Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct
validations:
required: true

2
.github/DISCUSSION_TEMPLATE/ideas.yml vendored
View File

@@ -9,7 +9,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Description

2
.github/DISCUSSION_TEMPLATE/q-a.yml vendored
View File

@@ -9,7 +9,7 @@ body:
**Do not open a GitHub issue, please.** Maintainers triage discussions and then create issues.
Please also check [our contribution guidelines](https://aquasecurity.github.io/trivy/latest/community/contribute/discussion/).
Please also check [our contribution guidelines](https://trivy.dev/latest/community/contribute/discussion/).
- type: textarea
attributes:
label: Question

4
.github/pull_request_template.md vendored
View File

@@ -10,8 +10,8 @@
Remove this section if you don't have related PRs.
## Checklist
- [ ] I've read the [guidelines for contributing](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've read the [guidelines for contributing](https://trivy.dev/latest/community/contribute/pr/) to this repository.
- [ ] I've followed the [conventions](https://trivy.dev/latest/community/contribute/pr/#title) in the PR title.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)

2
.github/workflows/auto-close-issue.yaml vendored
View File

@@ -26,7 +26,7 @@ jobs:
// If the user does not have write or admin permissions, leave a comment and close the issue
if (permission !== 'write' && permission !== 'admin') {
const commentBody = "Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/";
const commentBody = "Please see https://trivy.dev/latest/community/contribute/issue/";
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,

11
.github/workflows/auto-update-labels.yaml vendored
View File

@@ -5,8 +5,6 @@ on:
- 'misc/triage/labels.yaml'
branches:
- main
env:
GO_VERSION: '1.23'
jobs:
deploy:
name: Auto-update labels
@@ -18,14 +16,11 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
# cf. https://github.com/aquasecurity/trivy/pull/6711
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false
- name: Install aqua tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: update labels
env:

12
.github/workflows/cache-test-images.yaml vendored
View File

@@ -18,10 +18,8 @@ jobs:
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Generate image list digest
if: github.ref_name == 'main'
@@ -59,10 +57,8 @@ jobs:
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Generate image list digest
if: github.ref_name == 'main'

2
.github/workflows/canary.yaml vendored
View File

@@ -25,7 +25,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Restore Trivy binaries from cache
uses: actions/cache@v4.0.2
uses: actions/cache@v4
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

17
.github/workflows/publish-chart.yaml vendored
View File

@@ -33,7 +33,7 @@ jobs:
with:
fetch-depth: 0
- name: Install Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112
with:
version: v3.14.4
- name: Set up python
@@ -43,9 +43,9 @@ jobs:
check-latest: true
- name: Setup Chart Linting
id: lint
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992
uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b
- name: Setup Kubernetes cluster (KIND)
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3
with:
version: ${{ env.KIND_VERSION }}
image: ${{ env.KIND_IMAGE }}
@@ -65,16 +65,19 @@ jobs:
uses: actions/checkout@v4.1.6
with:
fetch-depth: 0
- name: Set up Git user
run: |
git config --global user.email "actions@github.com"
git config --global user.name "GitHub Actions"
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
- name: Set up Go
uses: actions/setup-go@v5
with:
aqua_version: v1.25.0
aqua_opts: ""
go-version-file: go.mod
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Create a PR with Trivy version
run: mage helm:updateVersion

2
.github/workflows/release.yaml vendored
View File

@@ -24,7 +24,7 @@ jobs:
fetch-depth: 0
- name: Restore Trivy binaries from cache
uses: actions/cache@v4.0.2
uses: actions/cache@v4
with:
path: dist/
key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

7
.github/workflows/reusable-release.yaml vendored
View File

@@ -14,7 +14,6 @@ on:
env:
GH_USER: "aqua-bot"
GO_VERSION: '1.23'
jobs:
release:
@@ -28,7 +27,7 @@ jobs:
contents: read # Not required for public repositories, but for clarity
steps:
- name: Cosign install
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
@@ -68,7 +67,7 @@ jobs:
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
- name: Generate SBOM
@@ -120,7 +119,7 @@ jobs:
public.ecr.aws/aquasecurity/trivy:canary
- name: Cache Trivy binaries
uses: actions/cache@v4.0.2
uses: actions/cache@v4
with:
path: dist/
# use 'github.sha' to create a unique cache folder for each run.

8
.github/workflows/spdx-cron.yaml vendored
View File

@@ -12,6 +12,14 @@ jobs:
- name: Check out code
uses: actions/checkout@v4.1.6
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Check if SPDX exceptions are up-to-date
run: |
mage spdx:updateLicenseExceptions

45
.github/workflows/test.yaml vendored
View File

@@ -11,8 +11,6 @@ on:
merge_group:
workflow_dispatch:
env:
GO_VERSION: '1.23'
jobs:
test:
name: Test
@@ -26,7 +24,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false
- name: go mod tidy
@@ -40,9 +38,9 @@ jobs:
- name: Lint
id: lint
uses: golangci/golangci-lint-action@v6.1.1
uses: golangci/golangci-lint-action@v6.5.0
with:
version: v1.61
version: v1.64
args: --verbose --out-format=line-number
if: matrix.operating-system == 'ubuntu-latest'
@@ -53,10 +51,7 @@ jobs:
if: ${{ failure() && steps.lint.conclusion == 'failure' }}
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
aqua_opts: ""
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Check if CLI references are up-to-date
run: |
@@ -80,13 +75,11 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Generate image list digest
id: image-digest
@@ -117,13 +110,11 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Run k8s integration tests
run: mage test:k8s
@@ -138,13 +129,11 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Generate image list digest
id: image-digest
@@ -177,13 +166,11 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false
- name: Install tools
uses: aquaproj/aqua-installer@v3.0.1
with:
aqua_version: v1.25.0
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
- name: Generate image list digest
id: image-digest
@@ -220,7 +207,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
go-version-file: go.mod
cache: false
- name: Determine GoReleaser ID

8
.golangci.yaml
View File

@@ -73,7 +73,8 @@ linters-settings:
- G304
- G402
govet:
check-shadowing: false
disable:
- shadow
misspell:
locale: US
ignore-words:
@@ -113,7 +114,7 @@ linters:
- misspell
- perfsprint
- revive
- tenv
- usetesting
- testifylint
- typecheck
- unconvert
@@ -121,12 +122,11 @@ linters:
- usestdlibvars
run:
go: '1.23'
go: '1.24'
timeout: 30m
issues:
exclude-files:
- "mock_*.go$"
- "examples/*"
exclude-dirs:
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions

2
.release-please-manifest.json
View File

@@ -1 +1 @@
{".":"0.59.0"}
{".":"0.61.0"}

70
CHANGELOG.md
View File

@@ -1,5 +1,75 @@
# Changelog
## [0.61.0](https://github.com/aquasecurity/trivy/compare/v0.60.0...v0.61.0) (2025-03-28)
### Features
* **fs:** optimize scanning performance by direct file access for known paths ([#8525](https://github.com/aquasecurity/trivy/issues/8525)) ([8bf6caf](https://github.com/aquasecurity/trivy/commit/8bf6caf98e2b1eff7bd16987f6791122d827747c))
* **k8s:** add support for controllers ([#8614](https://github.com/aquasecurity/trivy/issues/8614)) ([1bf0117](https://github.com/aquasecurity/trivy/commit/1bf0117f776953bbfe67cf32e4231360010fdf33))
* **misconf:** adapt aws_default_security_group ([#8538](https://github.com/aquasecurity/trivy/issues/8538)) ([b57eccb](https://github.com/aquasecurity/trivy/commit/b57eccb09c33df4ad0423fb148ddeaa292028401))
* **misconf:** adapt aws_opensearch_domain ([#8550](https://github.com/aquasecurity/trivy/issues/8550)) ([9913465](https://github.com/aquasecurity/trivy/commit/9913465a535c29b377bd2f2563163ccf7cbcd6a4))
* **misconf:** adapt AWS::DynamoDB::Table ([#8529](https://github.com/aquasecurity/trivy/issues/8529)) ([8112cdf](https://github.com/aquasecurity/trivy/commit/8112cdf8d638fa2bf57e5687e32f54b704c7e6b7))
* **misconf:** adapt AWS::EC2::VPC ([#8534](https://github.com/aquasecurity/trivy/issues/8534)) ([0d9865f](https://github.com/aquasecurity/trivy/commit/0d9865f48f46e85595af40140faa5ff6f02b9a02))
* **misconf:** Add support for aws_ami ([#8499](https://github.com/aquasecurity/trivy/issues/8499)) ([573502e](https://github.com/aquasecurity/trivy/commit/573502e2e83ff18020d5e7dcad498468a548733e))
* replace TinyGo with standard Go for WebAssembly modules ([#8496](https://github.com/aquasecurity/trivy/issues/8496)) ([529957e](https://github.com/aquasecurity/trivy/commit/529957eac1fc790c57fa3d93524a901ce842a9f5))
### Bug Fixes
* **debian:** don't include empty licenses for `dpkgs` ([#8623](https://github.com/aquasecurity/trivy/issues/8623)) ([346f5b3](https://github.com/aquasecurity/trivy/commit/346f5b3553b9247f99f89d859d4f835e955d34e9))
* **fs:** check postAnalyzers for StaticPaths ([#8543](https://github.com/aquasecurity/trivy/issues/8543)) ([c228307](https://github.com/aquasecurity/trivy/commit/c22830766e8cf1532f20198864757161eed6fda4))
* **k8s:** show report for `--report all` ([#8613](https://github.com/aquasecurity/trivy/issues/8613)) ([dbb6f28](https://github.com/aquasecurity/trivy/commit/dbb6f288712240ef5dec59952e33b73e3a6d5b06))
* **misconf:** add ephemeral block type to config schema ([#8513](https://github.com/aquasecurity/trivy/issues/8513)) ([41512f8](https://github.com/aquasecurity/trivy/commit/41512f846e75bae73984138ad7b3d03284a53f19))
* **misconf:** Check values wholly prior to evalution ([#8604](https://github.com/aquasecurity/trivy/issues/8604)) ([ad58cf4](https://github.com/aquasecurity/trivy/commit/ad58cf4457ebef80ff0bc4c113d4ab4c86a9fe56))
* **misconf:** do not skip loading documents from subdirectories ([#8526](https://github.com/aquasecurity/trivy/issues/8526)) ([de7eb13](https://github.com/aquasecurity/trivy/commit/de7eb13938f2709983a27ab3f59dbfac3fb74651))
* **misconf:** do not use cty.NilVal for non-nil values ([#8567](https://github.com/aquasecurity/trivy/issues/8567)) ([400a79c](https://github.com/aquasecurity/trivy/commit/400a79c2c693e462ad2e1cfc21305ef13d2ec224))
* **misconf:** identify the chart file exactly by name ([#8590](https://github.com/aquasecurity/trivy/issues/8590)) ([ba77dbe](https://github.com/aquasecurity/trivy/commit/ba77dbe5f952d67bbbbc0f43543d5f34135bc280))
* **misconf:** Improve logging for unsupported checks ([#8634](https://github.com/aquasecurity/trivy/issues/8634)) ([5b7704d](https://github.com/aquasecurity/trivy/commit/5b7704d1d091a12822df060ee7a679135185f2ae))
* **misconf:** set default values for AWS::EKS::Cluster.ResourcesVpcConfig ([#8548](https://github.com/aquasecurity/trivy/issues/8548)) ([1f05b45](https://github.com/aquasecurity/trivy/commit/1f05b4545d8f1de3ee703de66a7b3df2baaa07a7))
* **misconf:** skip Azure CreateUiDefinition ([#8503](https://github.com/aquasecurity/trivy/issues/8503)) ([c7814f1](https://github.com/aquasecurity/trivy/commit/c7814f1401b0cc66a557292fe07da24d0ea7b5cc))
* **spdx:** save text licenses into `otherLicenses` without normalize ([#8502](https://github.com/aquasecurity/trivy/issues/8502)) ([e5072f1](https://github.com/aquasecurity/trivy/commit/e5072f1eef8f3a78f4db48b4ac3f7c48aeec5e92))
* use `--file-patterns` flag for all post analyzers ([#7365](https://github.com/aquasecurity/trivy/issues/7365)) ([8b88238](https://github.com/aquasecurity/trivy/commit/8b88238f07e389cc32e2478f84aceaf860e421ef))
### Performance Improvements
* **misconf:** parse input for Rego once ([#8483](https://github.com/aquasecurity/trivy/issues/8483)) ([0e5e909](https://github.com/aquasecurity/trivy/commit/0e5e9097650f60bc54f47a21ecc937a66e66e225))
* **misconf:** retrieve check metadata from annotations once ([#8478](https://github.com/aquasecurity/trivy/issues/8478)) ([7b96351](https://github.com/aquasecurity/trivy/commit/7b96351c32d264d136978fe8fd9e113ada69bb2b))
## [0.60.0](https://github.com/aquasecurity/trivy/compare/v0.59.0...v0.60.0) (2025-03-05)
### Features
* add `--vuln-severity-source` flag ([#8269](https://github.com/aquasecurity/trivy/issues/8269)) ([d464807](https://github.com/aquasecurity/trivy/commit/d4648073211e8451d66e4c0399e9441250b60a76))
* add report summary table ([#8177](https://github.com/aquasecurity/trivy/issues/8177)) ([dd54f80](https://github.com/aquasecurity/trivy/commit/dd54f80d3fda7821dba13553480e9893ba8b4cb3))
* **cyclonedx:** Add initial support for loading external VEX files from SBOM references ([#8254](https://github.com/aquasecurity/trivy/issues/8254)) ([4820eb7](https://github.com/aquasecurity/trivy/commit/4820eb70fc926a35d759c373112dbbdca890fd46))
* **go:** fix parsing main module version for go &gt;= 1.24 ([#8433](https://github.com/aquasecurity/trivy/issues/8433)) ([e58dcfc](https://github.com/aquasecurity/trivy/commit/e58dcfcf9f102c12825d5343ebbcc12a2d6c05c5))
* **misconf:** render causes for Terraform ([#8360](https://github.com/aquasecurity/trivy/issues/8360)) ([a99498c](https://github.com/aquasecurity/trivy/commit/a99498cdd9b7bdac000140af6654bfe30135242d))
### Bug Fixes
* **db:** fix case when 2 trivy-db were copied at the same time ([#8452](https://github.com/aquasecurity/trivy/issues/8452)) ([bb3cca6](https://github.com/aquasecurity/trivy/commit/bb3cca6018551e96fdd357563dc177215ca29bd4))
* don't use `scope` for `trivy registry login` command ([#8393](https://github.com/aquasecurity/trivy/issues/8393)) ([8715e5d](https://github.com/aquasecurity/trivy/commit/8715e5d14a727667c2e62d6f7a4b5308a0323386))
* **go:** merge nested flags into string for ldflags for Go binaries ([#8368](https://github.com/aquasecurity/trivy/issues/8368)) ([b675b06](https://github.com/aquasecurity/trivy/commit/b675b06e897aaf374e7b1262d4323060a8a62edb))
* **image:** disable AVD-DS-0007 for history scanning ([#8366](https://github.com/aquasecurity/trivy/issues/8366)) ([a3cd693](https://github.com/aquasecurity/trivy/commit/a3cd693a5ea88def2f9057df6178b0c0e7a6bdb0))
* **k8s:** add missed option `PkgRelationships` ([#8442](https://github.com/aquasecurity/trivy/issues/8442)) ([f987e41](https://github.com/aquasecurity/trivy/commit/f987e4157494434f6e4e4566fedfedda92167565))
* **misconf:** do not log scanners when misconfig scanning is disabled ([#8345](https://github.com/aquasecurity/trivy/issues/8345)) ([5695eb2](https://github.com/aquasecurity/trivy/commit/5695eb22dfed672eafacb64a71da8e9bdfbaab87))
* **misconf:** ecs include enhanced for container insights ([#8326](https://github.com/aquasecurity/trivy/issues/8326)) ([39789ff](https://github.com/aquasecurity/trivy/commit/39789fff438d11bc6eccd254b3b890beb68c240b))
* **misconf:** fix incorrect k8s locations due to JSON to YAML conversion ([#8073](https://github.com/aquasecurity/trivy/issues/8073)) ([a994453](https://github.com/aquasecurity/trivy/commit/a994453a7d0f543fe30c4dc8adbc92ad0c21bcbc))
* **os:** add mapping OS aliases ([#8466](https://github.com/aquasecurity/trivy/issues/8466)) ([6b4cebe](https://github.com/aquasecurity/trivy/commit/6b4cebe9592f3a06bd91aa58ba6d65869afebbee))
* **python:** add `poetry` v2 support ([#8323](https://github.com/aquasecurity/trivy/issues/8323)) ([10cd98c](https://github.com/aquasecurity/trivy/commit/10cd98cf55263749cb2583063a2e9e9953c7371a))
* **report:** remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports ([#8344](https://github.com/aquasecurity/trivy/issues/8344)) ([3eb0b03](https://github.com/aquasecurity/trivy/commit/3eb0b03f7c9ee462daccfacb291b2c463d848ff5))
* **sbom:** add SBOM file's filePath as Application FilePath if we can't detect its path ([#8346](https://github.com/aquasecurity/trivy/issues/8346)) ([ecc01bb](https://github.com/aquasecurity/trivy/commit/ecc01bb3fb876fd0cc503cb38efa23e4fb9484b4))
* **sbom:** improve logic for binding direct dependency to parent component ([#8489](https://github.com/aquasecurity/trivy/issues/8489)) ([85cca8c](https://github.com/aquasecurity/trivy/commit/85cca8c07affee4ded5c232efb45b05dacf22242))
* **sbom:** preserve OS packages from multiple SBOMs ([#8325](https://github.com/aquasecurity/trivy/issues/8325)) ([bd5baaf](https://github.com/aquasecurity/trivy/commit/bd5baaf93054d71223e0721c7547a0567dea3b02))
* **server:** secrets inspectation for the config analyzer in client server mode ([#8418](https://github.com/aquasecurity/trivy/issues/8418)) ([a1c4bd7](https://github.com/aquasecurity/trivy/commit/a1c4bd746f5f901e2a8f09f48f58b973b9103165))
* **spdx:** init `pkgFilePaths` map for all formats ([#8380](https://github.com/aquasecurity/trivy/issues/8380)) ([72ea4b0](https://github.com/aquasecurity/trivy/commit/72ea4b0632308bd6150aaf2f1549a3f10b60dc23))
* **terraform:** apply parser options to submodule parsing ([#8377](https://github.com/aquasecurity/trivy/issues/8377)) ([398620b](https://github.com/aquasecurity/trivy/commit/398620b471c25e467018bc23df53a3a1c2aa661c))
* update all documentation links ([#8045](https://github.com/aquasecurity/trivy/issues/8045)) ([49456ba](https://github.com/aquasecurity/trivy/commit/49456ba8410e0e4cc1756906ccea1fdd60006d2d))
## [0.59.0](https://github.com/aquasecurity/trivy/compare/v0.58.0...v0.59.0) (2025-01-30)

2
CONTRIBUTING.md
View File

@@ -1 +1 @@
See [Issues](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/) and [Pull Requests](https://aquasecurity.github.io/trivy/latest/community/contribute/pr/)
See [Issues](https://trivy.dev/latest/community/contribute/issue/) and [Pull Requests](https://trivy.dev/latest/community/contribute/pr/)

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.21.0
FROM alpine:3.21.3
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

2
Dockerfile.canary
View File

@@ -1,4 +1,4 @@
FROM alpine:3.21.0
FROM alpine:3.21.3
RUN apk --no-cache add ca-certificates git
# binaries were created with GoReleaser

2
Dockerfile.protoc
View File

@@ -1,4 +1,4 @@
FROM --platform=linux/amd64 golang:1.23
FROM --platform=linux/amd64 golang:1.24
# Set environment variable for protoc
ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

12
README.md
View File

@@ -107,7 +107,7 @@ trivy k8s --report summary cluster
## Want more? Check out Aqua
If you liked Trivy, you will love Aqua which builds on top of Trivy to provide even more enhanced capabilities for a complete security management offering.
You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/commercial/comparison).
You can find a high level comparison table specific to Trivy users [here](https://trivy.dev/latest/commercial/compare/).
In addition check out the <https://aquasec.com> website for more information about our products and services.
If you'd like to contact Aqua or request a demo, please use this form: <https://www.aquasec.com/demo>
@@ -116,7 +116,6 @@ If you'd like to contact Aqua or request a demo, please use this form: <https://
Trivy is an [Aqua Security][aquasec] open source project.
Learn about our open source work and portfolio [here][oss].
Contact us about any matter by opening a GitHub Discussion [here][discussions]
Join our [Slack community][slack] to stay up to date with community efforts.
Please ensure to abide by our [Code of Conduct][code-of-conduct] during all interactions.
@@ -131,14 +130,13 @@ Please ensure to abide by our [Code of Conduct][code-of-conduct] during all inte
[license]: https://github.com/aquasecurity/trivy/blob/main/LICENSE
[license-img]: https://img.shields.io/badge/License-Apache%202.0-blue.svg
[homepage]: https://trivy.dev
[docs]: https://aquasecurity.github.io/trivy
[docs]: https://trivy.dev/latest/docs/
[pronunciation]: #how-to-pronounce-the-name-trivy
[slack]: https://slack.aquasec.com
[code-of-conduct]: https://github.com/aquasecurity/community/blob/main/CODE_OF_CONDUCT.md
[Installation]:https://aquasecurity.github.io/trivy/latest/getting-started/installation/
[Ecosystem]: https://aquasecurity.github.io/trivy/latest/ecosystem/
[Scanning Coverage]: https://aquasecurity.github.io/trivy/latest/docs/coverage/
[Installation]:https://trivy.dev/latest/getting-started/installation/
[Ecosystem]: https://trivy.dev/latest/ecosystem/
[Scanning Coverage]: https://trivy.dev/latest/docs/coverage/
[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
[rego]: https://www.openpolicyagent.org/docs/latest/#rego

10
aqua.yaml
View File

@@ -1,10 +0,0 @@
---
# aqua - Declarative CLI Version Manager
# https://aquaproj.github.io/
registries:
- type: standard
ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: tinygo-org/tinygo@v0.33.0
- name: WebAssembly/binaryen@version_112
- name: magefile/mage@v1.14.0

2
docs/commercial/compare.md
View File

@@ -66,7 +66,7 @@ If you'd like to learn more or request a demo, [click here to contact us](./cont
| Feature | Trivy OSS | Aqua |
| --- | --- | --- |
| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
| Infrastructure as Code (IaC) | Many popular languages as detailed [here](https://trivy.dev/latest/docs/scanner/misconfiguration/policy/builtin/) | In addition, Build Pipeline configuration scanning |
| Checks customization | Create custom checks with Rego | Create custom checks in no-code interface <br> Customize existing checks with organizational preferences |
| Cloud scanning | AWS (subset of services) | AWS, Azure, GCP, Alibaba Cloud, Oracle Cloud |
| Compliance frameworks | CIS, NSA, vendor guides | More than 25 compliance programs |

2
docs/community/contribute/checks/overview.md
View File

@@ -80,7 +80,7 @@ The package name should be in the format `builtin.PROVIDER.SERVICE.ID`, e.g. `bu
## Generating an ID
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribue your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Every check has a custom ID that is referenced throughout the metadata of the check to uniquely identify the check. If you plan to contribute your check back into the [trivy-checks](https://github.com/aquasecurity/trivy-checks) repository, it will require a valid ID.
Running `make id` in the root of the trivy-checks repository will provide you with the next available _ID_ for your rule.

2
docs/community/contribute/checks/service-support.md
View File

@@ -57,7 +57,7 @@ type AWS struct {
### Update Adapters
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adatper as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Now you'll need to update all of the [adapters](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/adapters) which populate the struct of the provider that you have been using. Following the example above, if you want to add support for CodeBuild in Terraform, you'll need to update the Terraform AWS adapter as shown here: [`trivy/pkg/iac/adapters/terraform/aws/codebuild/adapt.go`](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/adapters/terraform/aws/codebuild/adapt.go).
Another example for updating the adapters is provided in the [following PR.](https://github.com/aquasecurity/defsec/pull/1000/files) Additionally, please refer to the respective Terraform documentation on the provider to which you are adding the service. For instance, the Terraform documentation for AWS CodeBuild is provided [here.](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project)

2
docs/community/contribute/discussion.md
View File

@@ -24,7 +24,7 @@ There are 4 categories:
If you find any false positives or false negatives, please make sure to report them under the "False Detection" category, not "Bugs".
## False detection
Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#data-sources).
Trivy depends on [multiple data sources](https://trivy.dev/latest/docs/scanner/vulnerability/#data-sources).
Sometime these databases contain mistakes.
If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:

2
docs/docs/advanced/air-gap.md
View File

@@ -10,7 +10,7 @@ External Resource | Feature | Details
Vulnerability Database | Vulnerability scanning | [Trivy DB](../scanner/vulnerability.md)
Java Vulnerability Database | Java vulnerability scanning | [Trivy Java DB](../coverage/language/java.md)
Checks Bundle | Misconfigurations scanning | [Trivy Checks](../scanner/misconfiguration/check/builtin.md)
VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo/#vex-hub)
VEX Hub | VEX Hub | [VEX Hub](../supply-chain/vex/repo.md)
Maven Central / Remote Repositories | Java vulnerability scanning | [Java Scanner/Remote Repositories](../coverage/language/java.md#remote-repositories)
!!! note

24
docs/docs/advanced/modules.md
View File

@@ -12,7 +12,7 @@ They provide a way to extend the core feature set of Trivy, but without updating
- They can be added and removed from a Trivy installation without impacting the core Trivy tool.
- They can be written in any programming language supporting WebAssembly.
- It supports only [TinyGo][tinygo] at the moment.
- It supports only Go at the moment.
You can write your own detection logic.
@@ -94,9 +94,9 @@ $ trivy module uninstall ghcr.io/aquasecurity/trivy-module-spring4shell
```
## Building Modules
It supports TinyGo only at the moment.
It supports Go only at the moment.
### TinyGo
### Go
Trivy provides Go SDK including three interfaces.
Your own module needs to implement either or both `Analyzer` and `PostScanner` in addition to `Module`.
@@ -113,7 +113,7 @@ type Analyzer interface {
type PostScanner interface {
PostScanSpec() serialize.PostScanSpec
PostScan(serialize.Results) (serialize.Results, error)
PostScan(types.Results) (types.Results, error)
}
```
@@ -142,6 +142,9 @@ const (
name = "wordpress-module"
)
// main is required for Go to compile the Wasm module
func main() {}
type WordpressModule struct{
// Cannot define fields as modules can't keep state.
}
@@ -203,7 +206,7 @@ func (WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, erro
}
return &serialize.AnalysisResult{
CustomResources: []serialize.CustomResource{
CustomResources: []ftypes.CustomResource{
{
Type: typeWPVersion,
FilePath: filePath,
@@ -246,7 +249,7 @@ func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
}
}
func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
func (WordpressModule) PostScan(results types.Results) (types.Results, error) {
// e.g. results
// [
// {
@@ -288,7 +291,7 @@ func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, e
if vulnerable {
// Add CVE-2020-36326
results = append(results, serialize.Result{
results = append(results, types.Result{
Target: wpPath,
Class: types.ClassLangPkg,
Type: "wordpress",
@@ -318,10 +321,10 @@ In the `Delete` action, `PostScan` needs to return results you want to delete.
If `PostScan` returns an empty, Trivy will not delete anything.
#### Build
Follow [the install guide][tinygo-installation] and install TinyGo.
Follow [the install guide][go-installation] and install Go.
```bash
$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go
$ GOOS=wasip1 GOARCH=wasm go build -o wordpress.wasm -buildmode=c-shared wordpress.go
```
Put the built binary to the module directory that is under the home directory by default.
@@ -347,12 +350,11 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
[regexp]: https://github.com/google/re2/wiki/Syntax
[tinygo]: https://tinygo.org/
[spring4shell]: https://blog.aquasec.com/zero-day-rce-vulnerability-spring4shell
[wazero]: https://github.com/tetratelabs/wazero
[trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
[tinygo-installation]: https://tinygo.org/getting-started/install/
[go-installation]: https://go.dev/doc/install
[oras]: https://oras.land/cli/

8
docs/docs/advanced/self-hosting.md
View File

@@ -14,7 +14,7 @@ To host these databases in your own infrastructure:
### Make a local copy
Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md, [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
Use any container registry manipulation tool (e.g , [crane](https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane.md), [ORAS](https://oras.land), [regclient](https://github.com/regclient/regclient/tree/main)) to copy the images to your destination registry.
!!! note
You will need to keep the databases updated in order to maintain relevant scanning results over time.
@@ -123,10 +123,10 @@ To make a copy of VEX Hub in a location that is accessible to Trivy.
To configure Trivy to use the local VEX Repository:
1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo/#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
1. Locate your [Trivy VEX configuration file](../supply-chain/vex/repo.md#configuration-file) by running `trivy vex repo init`. Make the following changes to the file.
1. Disable the default VEX Hub repo (`enabled: false`)
1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo/#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
1. Add your internal VEX Hub repository as a [custom repository](../supply-chain/vex/repo.md#custom-repositories) with the URL pointing to your local server (e.g `url: https://server.local`).
### Authentication
If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo/#authentication).
If your server requires authentication, you can configure it as described in the [VEX Repository Authentication document](../supply-chain/vex/repo.md#authentication).

7
docs/docs/compliance/compliance.md
View File

@@ -35,7 +35,6 @@ For the list of built-in compliance reports, please see the relevant section:
- [Docker compliance](../target/container_image.md#compliance)
- [Kubernetes compliance](../target/kubernetes.md#compliance)
- [AWS compliance](../target/aws.md#compliance)
## Contribute a Built-in Compliance Report
@@ -166,7 +165,7 @@ Example of how to define command data under [commands folder](https://github.com
title: kubelet.conf file permissions
nodeType: worker
audit: stat -c %a $kubelet.kubeconfig
platfroms:
platforms:
- k8s
- aks
```
@@ -181,7 +180,7 @@ make command-id
#### Command Key
- Re-use an existing key or specifiy a new one (make sure key name has no spaces)
- Re-use an existing key or specify a new one (make sure key name has no spaces)
Note: The key value should match the key name evaluated by the Rego check.
@@ -198,7 +197,7 @@ Specify the node type on which the command is supposed to run.
### Command Audit
Specify here the shell command to be used please make sure to add error supression (2>/dev/null)
Specify here the shell command to be used please make sure to add error suppression (2>/dev/null)
### Command Platforms

2
docs/docs/compliance/contrib-compliance.md
View File

@@ -56,7 +56,7 @@ Thus, we can use the information already present:
```
- The `ID`, `name`, and `description` is taken directly from the AWS EKS CIS Benchmarks
- The `check` and `severity` are taken from the existing complaince check in the `k8s-cis-1.23.yaml`
- The `check` and `severity` are taken from the existing compliance check in the `k8s-cis-1.23.yaml`
#### 2. Referencing a check manually that is not part of the Trivy default checks

6
docs/docs/configuration/cache.md
View File

@@ -96,11 +96,11 @@ $ trivy server --cache-backend redis://localhost:6379 \
--redis-key /path/to/key.pem
```
[trivy-db]: ./db.md#vulnerability-database
[trivy-java-db]: ./db.md#java-index-database
[trivy-db]: ./db.md
[trivy-java-db]: ./db.md
[misconf-checks]: ../scanner/misconfiguration/check/builtin.md
[boltdb]: https://github.com/etcd-io/bbolt
[parallel-run]: https://aquasecurity.github.io/trivy/v0.52/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
[parallel-run]: https://trivy.dev/{{ git.tag}}/docs/references/troubleshooting/#running-in-parallel-takes-same-time-as-series-run
[^1]: Downloaded when scanning for vulnerabilities
[^2]: Downloaded when scanning `jar/war/par/ear` files

2
docs/docs/configuration/filtering.md
View File

@@ -394,7 +394,7 @@ $ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled
2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled
2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-31T11:10:27.155+0600 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:27.155+0600 INFO Please see also https://trivy.dev/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine
2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...
2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1

165
docs/docs/configuration/reporting.md
View File

@@ -19,9 +19,152 @@ Trivy supports the following formats:
| Secret | ✓ |
| License | ✓ |
```bash
$ trivy image -f table golang:1.22.11-alpine3.20
```
$ trivy image -f table golang:1.12-alpine
<details>
<summary>Result</summary>
```
...
Report Summary
┌─────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ golang:1.22.11-alpine3.20 (alpine 3.20.5) │ alpine │ 6 │ - │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/go/bin/go │ gobinary │ 1 │ - │
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
...
├─────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/go/pkg/tool/linux_amd64/vet │ gobinary │ 1 │ - │
└─────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
golang:1.22.11-alpine3.20 (alpine 3.20.5)
Total: 6 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)
┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-12797 │ HIGH │ fixed │ 3.3.2-r1 │ 3.3.3-r0 │ openssl: RFC7250 handshakes with unauthenticated servers │
│ │ │ │ │ │ │ don't abort as expected │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12797 │
│ ├────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-13176 │ MEDIUM │ │ │ 3.3.2-r2 │ openssl: Timing side-channel in ECDSA signature computation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-13176 │
├────────────┼────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3 │ CVE-2024-12797 │ HIGH │ │ │ 3.3.3-r0 │ openssl: RFC7250 handshakes with unauthenticated servers │
│ │ │ │ │ │ │ don't abort as expected │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-12797 │
│ ├────────────────┼──────────┤ │ ├───────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-13176 │ MEDIUM │ │ │ 3.3.2-r2 │ openssl: Timing side-channel in ECDSA signature computation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-13176 │
├────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ musl │ CVE-2025-26519 │ UNKNOWN │ │ 1.2.5-r0 │ 1.2.5-r1 │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an │
│ │ │ │ │ │ │ out-of-bounds write ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-26519 │
├────────────┤ │ │ │ │ │ │
│ musl-utils │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
usr/local/go/bin/go (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22866 │ MEDIUM │ fixed │ v1.22.11 │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
...
```
</details>
#### Table mode
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
Trivy supports the following modes for `table` format:
| Mode | Enabled by default |
|:----------------------------:|:-----------------:|
| [summary](#summary-table) | ✓[^1] |
| [detailed](#detailed-tables) | ✓ |
You can use `--table-mode` flag to enable/disable table mode(s).
##### Summary table
Summary table contains general information about the scan performed.
Nuances of table contents:
- Table includes columns for enabled [scanners](../references/terminology.md#scanner) only. Use `--scanners` flag to enable/disable scanners.
- Table includes separate lines for the same targets but different scanners.
- `-` means that the scanner didn't scan this target.
- `0` means that the scanner scanned this target, but found no security issues.
<details>
<summary>Report Summary</summary>
```
┌───────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
│ Target │ Type │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ test (alpine 3.20.3) │ alpine │ 2 │ - │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ Java │ jar │ 2 │ - │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ app/Dockerfile │ dockerfile │ - │ 2 │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ requirements.txt │ text │ 0 │ - │ - │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ requirements.txt │ text │ - │ - │ 1 │ - │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ OS Packages │ - │ - │ - │ - │ 1 │
├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
│ Java │ - │ - │ - │ - │ 0 │
└───────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
```
</details>
##### Detailed tables
Detailed tables contain information about found security issues for each target with more detailed information (CVE-ID, severity, version, etc.).
<details>
<summary>Detailed tables</summary>
```
usr/local/go/bin/go (gobinary)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2025-22866 │ MEDIUM │ fixed │ v1.22.11 │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│ │ │ │ │ │ │ on ppc64le in crypto/internal/nistec │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22866 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
```
</details>
#### Show origins of vulnerable dependencies
@@ -124,22 +267,6 @@ Then, you can try to update **axios@0.21.4** and **cra-append-sw@2.7.0** to reso
$ trivy image -f json -o results.json alpine:latest
```
<details>
<summary>Result</summary>
```
2024-12-26T22:01:18+05:30 INFO [vuln] Vulnerability scanning is enabled
2024-12-26T22:01:18+05:30 INFO [secret] Secret scanning is enabled
2024-12-26T22:01:18+05:30 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-26T22:01:18+05:30 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-26T22:01:18+05:30 INFO Detected OS family="alpine" version="3.20.3"
2024-12-26T22:01:18+05:30 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=14
2024-12-26T22:01:18+05:30 INFO Number of language-specific files num=0
2024-12-26T22:01:18+05:30 WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
```
</details>
<details>
<summary>JSON</summary>
@@ -490,7 +617,7 @@ $ trivy convert --format cyclonedx --output result.cdx result.json
```
!!! note
Please note that if you want to convert to a format that requires a list of packages,
Please note that if you want to convert to a format that requires a list of packages,
such as SBOM, you need to add the `--list-all-pkgs` flag when outputting in JSON.
[Filtering options](./filtering.md) such as `--severity` are also available with `convert`.
@@ -534,3 +661,5 @@ $ trivy convert --format table --severity CRITICAL result.json
[sbt-lockfile]: ../coverage/language/java.md#sbt
[pubspec-lock]: ../coverage/language/dart.md#dart
[cargo-binaries]: ../coverage/language/rust.md#binaries
[^1]: To show summary table in `convert` mode - you need to enable the scanners used during JSON report generation.

2
docs/docs/coverage/language/golang.md
View File

@@ -100,7 +100,7 @@ $ trivy rootfs ./your_binary
It doesn't work with UPX-compressed binaries.
### Main Module
Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefor are detected by Trivy.
Go binaries installed using the `go install` command contains correct (semver) version for the main module and therefore are detected by Trivy.
In other cases, Go uses the `(devel)` version[^2].
In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way.
If unsuccessful, the version will be empty[^3].

6
docs/docs/coverage/language/python.md
View File

@@ -54,7 +54,8 @@ keyring >= 4.1.1 # Minimum version 4.1.1
Mopidy-Dirble ~= 1.1 # Minimum version 1.1
python-gitlab==2.0.* # Minimum version 2.0.0
```
Also, there is a way to convert unsupported version specifiers - use the `pip freeze` command.
Also, there is a way to convert unsupported version specifiers - use either the `pip-compile` tool (which doesn't install the packages)
or call `pip freeze` from the virtual environment where the requirements are already installed.
```bash
$ cat requirements.txt
@@ -81,7 +82,8 @@ wheel==0.42.0
`requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
Therefore, Trivy scans only for the direct dependencies with `requirements.txt`.
To detect transitive dependencies as well, you need to generate `requirements.txt` with `pip freeze`.
To detect transitive dependencies as well, you need to generate `requirements.txt` that contains them.
Like described above, tou can do it with `pip freeze` or `pip-compile`.
```zsh
$ cat requirements.txt # it will only find `requests@2.28.2`.

2
docs/docs/coverage/language/ruby.md
View File

@@ -1,7 +1,7 @@
# Ruby
Trivy supports [Bundler][bundler] and [RubyGems][rubygems].
The following scanners are supported for Cargo.
The following scanners are supported for Bundler and RubyGems.
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|

56
docs/docs/references/abbreviations.md Normal file
View File

@@ -0,0 +1,56 @@
# Abbreviation List
This list compiles words that frequently appear in CLI flags or configuration files and are commonly abbreviated in industry and OSS communities.
Trivy may use the abbreviation in place of the full spelling for flag names.
It is also acceptable to add even shorter aliases if needed.
Words not included in this list should be spelled out in full when used in flags.
This list is intentionally limited to the most common and widely recognized abbreviations.
Excessive use of abbreviations in CLI flags can hinder initial user understanding and create a steeper learning curve.
!!! note
This list serves as a guideline rather than a strict requirement.
Its purpose is to maintain consistency across the project when naming flags and configuration options.
While we strive to follow these abbreviations, there may be exceptions where context or clarity demands a different approach.
## Scope
This list focuses on abbreviations of single words commonly used in technical contexts. It does not include:
1. Acronyms formed from the initial letters of multiple words (e.g., OS for Operating System, HTTP for Hypertext Transfer Protocol)
2. Domain-specific terminology that already has standardized short forms
3. Brand names or product-specific abbreviations
The abbreviations listed here are primarily intended for CLI flags, configuration keys, and similar technical interfaces where brevity is valued while maintaining clarity.
## Example
For a flag containing multiple words, only abbreviate words that appear in this list.
For instance, in `--database-repository`, "database" is in the list so it should be abbreviated to "db", but "repository" is not in the list so it must be spelled out completely.
The correct flag name would be `--db-repository`.
It's acceptable to add a shorter alias like `--db-repo` if desired.
## List
| Full Name | Default Abbreviation | Examples |
|-------------------|----------------------|-----------------------------------------------------------|
| application | app | `--app-name`, `--app-mode` |
| authentication | auth | `--auth-method`, `--auth-token` |
| authorization | authz | `--authz-rule`, `--authz-policy` |
| command | cmd | `--cmd-option`, `--cmd-args` |
| configuration | config | `--config`, `--config-dir` |
| database | db | `--db-repository`, `--db-user`, `--db-pass` |
| development | dev | `--dev-dependencies`, `--dev-mode` |
| directory | dir | `--dir-path`, `--output-dir` |
| environment | env | `--env-file`, `--env-vars` |
| information | info | `--info-level`, `--show-info` |
| initialization | init | `--init-script`, `--init-config` |
| library | lib | `--lib-path`, `--lib-dir` |
| maximum | max | `--max-image-size`, `--max-depth` |
| minimum | min | `--min-value`, `--min-severity` |
| misconfiguration | misconfig | `--misconfig-scanners` |
| package | pkg | `--pkg-types` |
| production | prod | `--prod-env`, `--prod-deploy` |
| specification | spec | `--spec-file`, `--spec-version` |
| temporary | tmp | `--tmp-dir`, `--tmp-file` |
| utility | util | `--util-script`, `--util-name` |
| vulnerability | vuln | `--vuln-scan`, `--vuln-report` |

26
docs/docs/references/configuration/cli/trivy_config.md
View File

@@ -21,7 +21,18 @@ trivy config [flags] DIR
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -45,11 +56,20 @@ trivy config [flags] DIR
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--report string specify a compliance report format for the output (all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a compliance report format for the output (allowed values: all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--skip-check-update skip fetching rego check updates
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files

26
docs/docs/references/configuration/cli/trivy_convert.md
View File

@@ -22,16 +22,36 @@ trivy convert [flags] RESULT_JSON
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-h, --help help for convert
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignorefile string specify .trivyignore file (default ".trivyignore")
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--report string specify a report format for the output (all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--report string specify a report format for the output (allowed values: all,summary) (default "all")
--scanners strings List of scanners included when generating the json report. Used only for rendering the summary table. (allowed values: vuln,misconfig,secret,license)
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
```

85
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -34,14 +34,25 @@ trivy filesystem [flags] PATH
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
(allowed values: precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -50,7 +61,16 @@ trivy filesystem [flags] PATH
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for filesystem
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
@@ -70,20 +90,35 @@ trivy filesystem [flags] PATH
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a compliance report format for the output (all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a compliance report format for the output (allowed values: all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
@@ -91,6 +126,7 @@ trivy filesystem [flags] PATH
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files
@@ -99,6 +135,37 @@ trivy filesystem [flags] PATH
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- auto
(default [auto])
```
### Options inherited from parent commands

91
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -38,7 +38,7 @@ trivy image [flags] IMAGE_NAME
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (docker-cis-1.6.0)
--compliance string compliance report to generate (allowed values: docker-cis-1.6.0)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
@@ -48,7 +48,7 @@ trivy image [flags] IMAGE_NAME
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
(allowed values: precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--docker-host string unix domain socket path to use for docker scanning
--download-db-only download/update vulnerability database but don't run a scan
@@ -57,7 +57,18 @@ trivy image [flags] IMAGE_NAME
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -66,12 +77,21 @@ trivy image [flags] IMAGE_NAME
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for image
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (misconfig,secret)
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--image-config-scanners strings comma-separated list of what security issues to detect on container image configurations (allowed values: misconfig,secret)
--image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--input string input file path instead of image name
@@ -89,8 +109,15 @@ trivy image [flags] IMAGE_NAME
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
--redis-ca string redis ca file location, if using redis as cache backend
@@ -100,12 +127,20 @@ trivy image [flags] IMAGE_NAME
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--report string specify a format for the compliance report. (all,summary) (default "summary")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a format for the compliance report. (allowed values: all,summary) (default "summary")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
@@ -113,6 +148,7 @@ trivy image [flags] IMAGE_NAME
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--token string for authentication in client/server mode
@@ -120,6 +156,37 @@ trivy image [flags] IMAGE_NAME
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- auto
(default [auto])
```
### Options inherited from parent commands

84
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -34,7 +34,14 @@ trivy kubernetes [flags] [CONTEXT]
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (k8s-nsa-1.0,k8s-cis-1.23,eks-cis-1.4,rke2-cis-1.24,k8s-pss-baseline-0.1,k8s-pss-restricted-0.1)
--compliance string compliance report to generate
Allowed values:
- k8s-nsa-1.0
- k8s-cis-1.23
- eks-cis-1.4
- rke2-cis-1.24
- k8s-pss-baseline-0.1
- k8s-pss-restricted-0.1
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
@@ -43,7 +50,7 @@ trivy kubernetes [flags] [CONTEXT]
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
(allowed values: precise,comprehensive) (default "precise")
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
@@ -54,7 +61,7 @@ trivy kubernetes [flags] [CONTEXT]
--exclude-owned exclude resources that have an owner reference
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,cyclonedx) (default "table")
-f, --format string format (allowed values: table,json,cyclonedx) (default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -63,10 +70,19 @@ trivy kubernetes [flags] [CONTEXT]
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for kubernetes
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--image-src strings image source(s) to use, in priority order (allowed values: docker,containerd,podman,remote) (default [docker,containerd,podman,remote])
--include-deprecated-checks include deprecated checks
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
@@ -85,8 +101,15 @@ trivy kubernetes [flags] [CONTEXT]
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--qps float specify the maximum QPS to the master from this client (default 5)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
@@ -94,11 +117,19 @@ trivy kubernetes [flags] [CONTEXT]
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--report string specify a report format for the output (all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--report string specify a report format for the output (allowed values: all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
@@ -113,6 +144,37 @@ trivy kubernetes [flags] [CONTEXT]
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- auto
(default [auto])
```
### Options inherited from parent commands

83
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -34,13 +34,24 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
(allowed values: precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
--exit-code int specify exit code when any security issues are found
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -49,7 +60,16 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for repository
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
@@ -69,19 +89,34 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
@@ -89,6 +124,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
--tag string pass the tag name to be scanned
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
@@ -98,6 +134,37 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- auto
(default [auto])
```
### Options inherited from parent commands

83
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -36,7 +36,7 @@ trivy rootfs [flags] ROOTDIR
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
(allowed values: precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -44,7 +44,18 @@ trivy rootfs [flags] ROOTDIR
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -53,7 +64,16 @@ trivy rootfs [flags] ROOTDIR
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for rootfs
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
@@ -72,19 +92,34 @@ trivy rootfs [flags] ROOTDIR
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-check-update skip fetching rego check updates
--skip-db-update skip updating vulnerability database
@@ -92,6 +127,7 @@ trivy rootfs [flags] ROOTDIR
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--tf-vars strings specify paths to override the Terraform tfvars files
@@ -100,6 +136,37 @@ trivy rootfs [flags] ROOTDIR
--trace enable more verbose trace output for custom queries
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- auto
(default [auto])
```
### Options inherited from parent commands

172
docs/docs/references/configuration/cli/trivy_sbom.md
View File

@@ -20,59 +20,125 @@ trivy sbom [flags] SBOM_PATH
### Options
```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-ttl duration cache TTL when using redis as cache backend
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-h, --help help for sbom
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,license) (default [vuln])
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
-t, --template string output template
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-ttl duration cache TTL when using redis as cache backend
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
-h, --help help for sbom
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,license) (default [vuln])
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--username strings username. Comma-separated usernames allowed.
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- auto
(default [auto])
```
### Options inherited from parent commands

83
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -32,7 +32,7 @@ trivy vm [flags] VM_IMAGE
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
(allowed values: precise,comprehensive) (default "precise")
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -40,7 +40,18 @@ trivy vm [flags] VM_IMAGE
--exit-code int specify exit code when any security issues are found
--exit-on-eol int exit with the specified code when the OS reaches end of service/life
--file-patterns strings specify config file patterns
-f, --format string format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-f, --format string format
Allowed values:
- table
- json
- template
- sarif
- cyclonedx
- spdx
- spdx-json
- github
- cosign-vuln
(default "table")
--helm-api-versions strings Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
--helm-kube-version string Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
--helm-set strings specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
@@ -49,7 +60,16 @@ trivy vm [flags] VM_IMAGE
--helm-values strings specify paths to override the Helm values.yaml files
-h, --help help for vm
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-status strings comma-separated list of vulnerability status to ignore
Allowed values:
- unknown
- not_affected
- affected
- fixed
- under_investigation
- will_not_fix
- fix_deferred
- end_of_life
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes, available with '--scanners misconfig'
@@ -62,29 +82,76 @@ trivy vm [flags] VM_IMAGE
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--parallel int number of goroutines enabled for parallel scanning, set 0 to auto-detect parallelism (default 5)
--pkg-relationships strings list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (os,library) (default [os,library])
--pkg-relationships strings list of package relationships
Allowed values:
- unknown
- root
- workspace
- direct
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,license) (default [vuln,secret])
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-s, --severity strings severities of security issues to be displayed
Allowed values:
- UNKNOWN
- LOW
- MEDIUM
- HIGH
- CRITICAL
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
--token string for authentication in client/server mode
--token-header string specify a header name for token in client/server mode (default "Trivy-Token")
--vex strings [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
--vuln-severity-source strings order of data sources for selecting vulnerability severity level
Allowed values:
- nvd
- redhat
- redhat-oval
- debian
- ubuntu
- alpine
- amazon
- oracle-oval
- suse-cvrf
- photon
- arch-linux
- alma
- rocky
- cbl-mariner
- azure
- ruby-advisory-db
- php-security-advisories
- nodejs-security-wg
- ghsa
- glad
- aqua
- osv
- k8s
- wolfi
- chainguard
- bitnami
- govulndb
- auto
(default [auto])
```
### Options inherited from parent commands

12
docs/docs/references/configuration/config-file.md
View File

@@ -409,6 +409,9 @@ misconfiguration:
# Same as '--include-non-failures'
include-non-failures: false
# Same as '--render-cause'
render-cause: []
# Same as '--misconfig-scanners'
scanners:
- azure-arm
@@ -550,6 +553,11 @@ severity:
- HIGH
- CRITICAL
# Same as '--table-mode'
table-mode:
- summary
- detailed
# Same as '--template'
template: ""
@@ -623,6 +631,10 @@ vulnerability:
# Same as '--ignore-unfixed'
ignore-unfixed: false
# Same as '--vuln-severity-source'
severity-source:
- auto
# Same as '--skip-vex-repo-update'
skip-vex-repo-update: false

2
docs/docs/references/troubleshooting.md
View File

@@ -277,5 +277,5 @@ $ trivy clean --all
```
[air-gapped]: ../advanced/air-gap.md
[network]: ../advanced/air-gap.md#network-requirements
[network]: ../advanced/air-gap.md#connectivity-requirements
[redis-cache]: ../configuration/cache.md#redis

2
docs/docs/scanner/license.md
View File

@@ -23,7 +23,7 @@ To enable extended license scanning, you can use `--license-full`.
In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier.
To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifer.
To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifier.
!!! note
The full license scanning is expensive. It takes a while.

2
docs/docs/scanner/misconfiguration/custom/index.md
View File

@@ -149,7 +149,7 @@ Services are defined within a provider. For instance, RDS is a service and AWS i
#### custom.input
The `input` tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the `selector` input, and should always use the `type` selector with `cloud`. Check targeting Kubernetes yaml can use `kubenetes`, RBAC can use `rbac`, and so on.
The `input` tells Trivy what inputs this check should be applied to. Cloud provider checks should always use the `selector` input, and should always use the `type` selector with `cloud`. Check targeting Kubernetes yaml can use `kubernetes`, RBAC can use `rbac`, and so on.
#### Subtypes in the custom data

2
docs/docs/scanner/misconfiguration/index.md
View File

@@ -407,7 +407,7 @@ If the schema is specified in the check metadata and is in the directory specifi
If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
!!! tip
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma separated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.
### Passing custom data

24
docs/docs/scanner/vulnerability.md
View File

@@ -345,6 +345,30 @@ However, in some cases, you may want to scan an image with a different OS versio
Also, you may want to specify the OS version when OS is not detected.
For these cases, Trivy supports a `--distro` flag using the `<family>/<version>` format (e.g. `alpine/3.20`) to set the desired OS version.
### Severity selection
By default, Trivy automatically detects severity (as described [here](#severity-selection)).
But there are cases when you may want to use your own source priority. Trivy supports the `--vuln-severity-source` flag for this.
Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity.
If no source has the severity - Trivy will use the `UNKNOWN` severity.
!!! note
To use the default logic in combination with your sources - use the `auto` value.
Example logic for the following vendor severity levels when scanning an Alpine image:
```json
"VendorSeverity": {
"ghsa": 3,
"nvd": 4,
}
```
- `--vuln-severity-source auto,nvd` - severity is `CRITICAL`, got from `auto`.
- `--vuln-severity-source alpine,auto` - severity is `CRITICAL`, got from `auto`.
- `--vuln-severity-source alpine,ghsa` - severity is `HIGH`, got from `ghsa`.
- `--vuln-severity-source alpine,alma` - severity is `UNKNOWN`.
[^1]: https://github.com/GoogleContainerTools/distroless
[nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464

2
docs/docs/supply-chain/attestation/rekor.md
View File

@@ -22,7 +22,7 @@ $ trivy image --sbom-sources rekor otms61/alpine:3.7.3
2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled
2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled
2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-09-16T17:37:13.258+0900 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:13.258+0900 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json
2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor
2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine

1449
docs/docs/supply-chain/sbom.md
View File

File diff suppressed because it is too large Load Diff

4
docs/docs/supply-chain/vex/index.md
View File

@@ -8,11 +8,12 @@ By providing VEX during scanning, it is possible to filter vulnerabilities based
## VEX Usage Methods
Trivy currently supports two methods for utilizing VEX:
Trivy currently supports four methods for utilizing VEX:
1. [VEX Repository](./repo.md)
2. [Local VEX Files](./file.md)
3. [VEX Attestation](./oci.md)
4. [SBOM Reference](./sbom-ref.md)
### Enabling VEX
To enable VEX, use the `--vex` option.
@@ -21,6 +22,7 @@ You can specify the method to use:
- To enable the VEX Repository: `--vex repo`
- To use a local VEX file: `--vex /path/to/vex-document.json`
- To enable VEX attestation discovery in OCI registry: `--vex oci`
- To use remote VEX files referenced in SBOMs: `--vex sbom-ref`
```bash
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo

44
docs/docs/supply-chain/vex/sbom-ref.md Normal file
View File

@@ -0,0 +1,44 @@
# VEX SBOM Reference
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
## Using externally referenced VEX documents
Trivy can discover and download VEX documents referenced in the `externalReferences` of a scanned CycloneDX SBOM. This
requires the references to be of type `exploitability-statement`.
To be picked up by Trivy, following top level content needs to be part of a CycloneDx SBOM to dynamically resolve a
remotely hosted file VEX file at the location `https://vex.example.com`:
```
"externalReferences": [
{
"type": "exploitability-statement",
"url": "https://vex.example.com/vex"
}
]
```
This can also be used to dynamically retrieve VEX files stored on GitHub with an `externalReference` such as:
```
"externalReferences": [
{
"type": "exploitability-statement",
"url": "https://raw.githubusercontent.com/aquasecurity/trivy/refs/heads/main/.vex/trivy.openvex.json"
}
]
```
This is not enabled by default at the moment, but can be used when scanning a CycloneDx SBOM and explicitly specifying
`--vex sbom-ref`.
```shell
$ trivy sbom trivy.cdx.json --vex sbom-ref
2025-01-19T13:29:31+01:00 INFO [vex] Retrieving external VEX document from host vex.example.com type="externalReference"
2025-01-19T13:29:31+01:00 INFO Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
```
All the referenced VEX files are retrieved via HTTP/HTTPS and used in the same way as if they were explicitly specified
via a [file reference](./file.md).

30
docs/docs/target/container_image.md
View File

@@ -144,7 +144,7 @@ See https://avd.aquasec.com/misconfig/ds005
LOW: Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.
See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@@ -154,7 +154,15 @@ See https://avd.aquasec.com/misconfig/ds026
!!! tip
You can see how each layer is created with `docker history`.
The [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) check is disabled for this scan type, see [issue](https://github.com/aquasecurity/trivy/issues/7368) for details.
#### Disabled checks
The following checks are disabled for this scan type due to known issues. See the linked issues for more details.
| Check ID | Reason | Issue |
|----------|------------|--------|
| [AVD-DS-0007](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0007/) | This check detects multiple `ENTRYPOINT` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#8364](https://github.com/aquasecurity/trivy/issues/8364) |
| [AVD-DS-0016](https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0016/) | This check detects multiple `CMD` instructions in a stage, but since image history analysis does not identify stages, this check is not relevant for this scan type. | [#7368](https://github.com/aquasecurity/trivy/issues/7368) |
### Secrets
Trivy detects secrets on the configuration of container images.
@@ -403,9 +411,20 @@ Trivy supports the generation of Software Bill of Materials (SBOM) for container
### Generation
Trivy can generate SBOM for container images.
See [here](../supply-chain/sbom.md) for the detail.
See [here](../supply-chain/sbom.md) for details.
### Discovery
### Discover SBOM inside container images
Trivy can search for Software Bill of Materials (SBOMs) within container image files and scan their components for vulnerabilities.
#### Third-party SBOM files
SBOM specifications define key requirements for component documentation[^2].
However, different tools and systems often have varying approaches to documenting component types and their relationships.
Due to these variations, Trivy cannot always accurately interpret SBOMs generated by other tools.
For example, it may have difficulty determining the correct file paths to component information files (such as lock files or binaries).
In such cases, Trivy uses the path to the scanned SBOM file itself to maintain traceability and ensure accurate dependency reporting.
### Discover SBOM referencing the container image
Trivy can search for Software Bill of Materials (SBOMs) that reference container images.
If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image.
By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
@@ -491,7 +510,7 @@ $ trivy image --platform=linux/arm alpine:3.16.1
2022-10-25T21:00:50.972+0300 INFO Vulnerability scanning is enabled
2022-10-25T21:00:50.972+0300 INFO Secret scanning is enabled
2022-10-25T21:00:50.972+0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2022-10-25T21:00:50.972+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-25T21:00:50.972+0300 INFO Please see also https://trivy.dev/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-10-25T21:00:56.190+0300 INFO Detected OS: alpine
2022-10-25T21:00:56.190+0300 INFO Detecting Alpine vulnerabilities...
2022-10-25T21:00:56.191+0300 INFO Number of language-specific files: 0
@@ -551,3 +570,4 @@ Error: uncompressed image size (15GB) exceeds maximum allowed size (10GB)
```
[^1]: Trivy uses decimal (SI) prefixes (based on 1000) for size.
[^2]: SPDX uses `package` instead of `component`.

2
docs/docs/target/kubernetes.md
View File

@@ -180,7 +180,7 @@ trivy k8s --report summary --disable-node-collector
The node-collector scan-job will run on every node. In case the node has been tainted, it is possible to add toleration to the scan job for it to be scheduled on the tainted node. for more details [see k8s docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)
- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag wil enable node-collector to be schedule on tainted Node
- `--tolerations key1=value1:NoExecute,key2=value2:NoSchedule` this flag will enable node-collector to be schedule on tainted Node
Example:

13
docs/docs/target/rootfs.md
View File

@@ -13,3 +13,16 @@ $ trivy rootfs /path/to/rootfs
Rootfs scanning works differently from the Filesystem scanning.
You should use `trivy fs` to scan your local projects in CI/CD.
See [here](../scanner/vulnerability.md) for the differences.
## Performance Optimization
By default, Trivy traverses all files from the specified root directory to find target files for scanning.
However, when you only need to scan specific files with absolute paths, you can avoid this traversal, which makes scanning faster.
For example, when scanning only OS packages, no full traversal is performed:
```bash
$ trivy rootfs --pkg-types os --scanners vuln /
```
When scanning language-specific packages or secrets, traversal is necessary because the location of these files is unknown.
If you want to exclude specific directories from scanning for better performance, you can use the [--skip-dirs](../configuration/skipping.md) option.

2
docs/ecosystem/ide.md
View File

@@ -58,7 +58,7 @@ Web application that allows to load a Trivy report in json format and displays t
## Trivy pre-commit (Community)
A trivy pre-commit hook that runs a `trivy fs` in your git repo before commiting, preventing you from commiting secrets in the first place.
A trivy pre-commit hook that runs a `trivy fs` in your git repo before committing, preventing you from committing secrets in the first place.
👉 Get it at: <https://github.com/mxab/pre-commit-trivy>

2
docs/getting-started/installation.md
View File

@@ -167,7 +167,7 @@ See their respective documentation for more information of how to install them a
- [asdf](https://asdf-vm.com/guide/getting-started.html)
- [mise](https://mise.jdx.dev/getting-started.html)
The plugin used by both tools is developped [here](https://github.com/zufardhiyaulhaq/asdf-trivy)
The plugin used by both tools is developed [here](https://github.com/zufardhiyaulhaq/asdf-trivy)
=== "asdf"

6
docs/tutorials/misconfiguration/custom-checks.md
View File

@@ -1,6 +1,6 @@
# Custom Checks with Rego
Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language and the full documentation for checks and customizing them is available [here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/).
Trivy can scan configuration files for common security issues (a.k.a IaC misconfiguration scanning). In addition to a comprehensive built in database of checks, you can add your own custom checks. Checks are written in [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language and the full documentation for checks and customizing them is available [here](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/).
This tutorial will walk you through writing a custom check in Rego that checks for an issue in a Dockerfile.
@@ -38,7 +38,7 @@ Next, we need to specify metadata about the check. This is information that help
Important: The `METADATA` has to be defined on top of the file.
More information on the different fields in the metadata can be found in the [Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/)
More information on the different fields in the metadata can be found in the [Trivy documentation.](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/)
## Package and imports
@@ -86,7 +86,7 @@ Let's look at the check line by line:
Note that Rego
* uses `AND` automatically to combine conditions in this check
* automatically iterates through the array of commands in the Dockefile and allowed images
* automatically iterates through the array of commands in the Dockerfile and allowed images
## Run the check in a Trivy misconfiguration scan

16
docs/tutorials/misconfiguration/terraform.md
View File

@@ -9,7 +9,7 @@ We have been consolidating all of our scanning-related efforts in one place, and
## Trivy Config Command
Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/)
Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://trivy.dev/latest/docs/scanner/misconfiguration/)
Command structure:
```
@@ -23,7 +23,7 @@ The `trivy config` command can scan Terraform configuration, CloudFormation, Doc
- If the configuration that has been defined does not follow best practices, the check will fail.
### Prerequisites
Install Trivy on your local machines. The documentation provides several [different installation options.](https://aquasecurity.github.io/trivy/latest/getting-started/installation/)
Install Trivy on your local machines. The documentation provides several [different installation options.](https://trivy.dev/latest/getting-started/installation/)
This tutorial will use this example [Terraform tutorial](https://github.com/Cloud-Native-Security/trivy-demo/tree/main/bad_iac/terraform) for terraform misconfiguration scanning with Trivy.
Git clone the tutorial and cd into the directory:
@@ -31,7 +31,7 @@ Git clone the tutorial and cd into the directory:
git clone git@github.com:Cloud-Native-Security/trivy-demo.git
cd bad_iac/terraform
```
In this case, the folder only containes Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically.
In this case, the folder only contains Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically.
## Different types of `trivy config` scans
@@ -83,14 +83,14 @@ trivy config --severity CRITICAL, MEDIUM terraform-infra
### Passing tf.tfvars files into `trivy config` scans
You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#value-overrides)
You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://trivy.dev/latest/docs/coverage/iac/terraform/#value-overrides)
```
trivy config --tf-vars terraform.tfvars ./
```
### Custom Checks
We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans.
We have lots of examples in the [documentation](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans.
## Secret and vulnerability scans
@@ -100,15 +100,15 @@ The `trivy config` command does not perform secrete and vulnerability checks out
trivy fs --scanners secret,misconfig ./
```
The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://aquasecurity.github.io/trivy/latest/docs/target/filesystem/)
The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://trivy.dev/latest/docs/target/filesystem/)
## Scanning Terraform Plan files
Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://aquasecurity.github.io/trivy/latest/docs/coverage/iac/terraform/#terraform) is the link to the documentation.
Instead of scanning your different Terraform resources individually, you could also scan your Terraform Plan file before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://trivy.dev/latest/docs/coverage/iac/terraform/#terraform) is the link to the documentation.
Note that you need to be able to create a terraform init and plan without any errors.
## Using Trivy in your CI/CD pipeline
Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://aquasecurity.github.io/trivy/latest/tutorials/integrations/](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/)
Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://trivy.dev/latest/tutorials/integrations/](https://trivy.dev/latest/tutorials/integrations/)

2
examples/module/spring4shell/README.md
View File

@@ -5,7 +5,7 @@ This module provides a more in-depth investigation of Spring4Shell detection.
## Set up
```
$ tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go
$ GOOS=wasip1 GOARCH=wasm go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go
$ mkdir -p ~/.trivy/modules
$ cp spring4shell.wasm ~/.trivy/modules
```

18
examples/module/spring4shell/spring4shell.go
View File

@@ -1,5 +1,5 @@
//go:generate tinygo build -o spring4shell.wasm -scheduler=none -target=wasi --no-debug spring4shell.go
//go:build tinygo.wasm
//go:generate go build -o spring4shell.wasm -buildmode=c-shared spring4shell.go
//go:build wasip1
package main
@@ -13,9 +13,11 @@ import (
"strconv"
"strings"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/module/api"
"github.com/aquasecurity/trivy/pkg/module/serialize"
"github.com/aquasecurity/trivy/pkg/module/wasm"
"github.com/aquasecurity/trivy/pkg/types"
)
const (
@@ -29,8 +31,10 @@ var (
tomcatVersionRegex = regexp.MustCompile(`Apache Tomcat Version ([\d.]+)`)
)
// main is required for TinyGo to compile to Wasm.
func main() {
// main is required for Go to compile the Wasm module
func main() {}
func init() {
wasm.RegisterModule(Spring4Shell{})
}
@@ -95,7 +99,7 @@ func (Spring4Shell) parseJavaRelease(f *os.File, filePath string) (*serialize.An
}
return &serialize.AnalysisResult{
CustomResources: []serialize.CustomResource{
CustomResources: []ftypes.CustomResource{
{
Type: TypeJavaMajor,
FilePath: filePath,
@@ -117,7 +121,7 @@ func (Spring4Shell) parseTomcatReleaseNotes(f *os.File, filePath string) (*seria
}
return &serialize.AnalysisResult{
CustomResources: []serialize.CustomResource{
CustomResources: []ftypes.CustomResource{
{
Type: TypeTomcatVersion,
FilePath: filePath,
@@ -222,7 +226,7 @@ func (Spring4Shell) PostScanSpec() serialize.PostScanSpec {
// }
//
// ]
func (Spring4Shell) PostScan(results serialize.Results) (serialize.Results, error) {
func (Spring4Shell) PostScan(results types.Results) (types.Results, error) {
var javaMajorVersion int
var tomcatVersion string
for _, result := range results {

196
go.mod
View File

@@ -1,11 +1,11 @@
module github.com/aquasecurity/trivy
go 1.23.4
go 1.24
require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
github.com/BurntSushi/toml v1.4.0
github.com/CycloneDX/cyclonedx-go v0.9.2
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
@@ -24,35 +24,36 @@ require (
github.com/aquasecurity/table v1.8.0
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.6.1
github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e
github.com/aquasecurity/trivy-checks v1.8.0
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.7.0
github.com/aws/aws-sdk-go-v2 v1.34.0
github.com/aws/aws-sdk-go-v2/config v1.29.2
github.com/aws/aws-sdk-go-v2/credentials v1.17.55
github.com/aws/aws-sdk-go-v2/service/ec2 v1.201.1
github.com/aws/aws-sdk-go-v2/service/ecr v1.38.7
github.com/aws/aws-sdk-go-v2/service/s3 v1.74.1
github.com/aws/smithy-go v1.22.2
github.com/aquasecurity/trivy-kubernetes v0.8.0
github.com/aws/aws-sdk-go-v2 v1.36.3
github.com/aws/aws-sdk-go-v2/config v1.29.9
github.com/aws/aws-sdk-go-v2/credentials v1.17.62
github.com/aws/aws-sdk-go-v2/service/ec2 v1.207.1
github.com/aws/aws-sdk-go-v2/service/ecr v1.42.1
github.com/aws/aws-sdk-go-v2/service/s3 v1.78.1
github.com/aws/smithy-go v1.22.3
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
github.com/bmatcuk/doublestar/v4 v4.8.1
github.com/cenkalti/backoff/v4 v4.3.0
github.com/cheggaaa/pb/v3 v3.1.6
github.com/containerd/containerd/v2 v2.0.2
github.com/cheggaaa/pb/v3 v3.1.7
github.com/containerd/containerd/v2 v2.0.4
github.com/containerd/platforms v1.0.0-rc.1
github.com/distribution/reference v0.6.0
github.com/docker/cli v27.5.0+incompatible
github.com/docker/docker v27.5.0+incompatible
github.com/docker/docker v27.5.1+incompatible
github.com/docker/go-connections v0.5.0
github.com/docker/go-units v0.5.0
github.com/fatih/color v1.18.0
github.com/go-git/go-git/v5 v5.13.2
github.com/go-git/go-git/v5 v5.14.0
github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535 // Replace with encoding/json/v2 when proposal is accepted. Track https://github.com/golang/go/issues/71497
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-redis/redis/v8 v8.11.5
github.com/gocsaf/csaf/v3 v3.1.1
github.com/golang-jwt/jwt/v5 v5.2.1
github.com/golang-jwt/jwt/v5 v5.2.2
github.com/google/go-containerregistry v0.20.3
github.com/google/go-github/v62 v62.0.0
github.com/google/licenseclassifier/v2 v2.0.0
@@ -79,72 +80,72 @@ require (
github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee
github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e
github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
github.com/masahiro331/go-mvn-version v0.0.0-20250131095131-f4974fa13b8a
github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
github.com/masahiro331/go-xfs-filesystem v0.0.0-20231205045356-1b22259a6c44
github.com/mattn/go-shellwords v1.0.12
github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/mitchellh/mapstructure v1.5.0
github.com/moby/buildkit v0.18.2
github.com/open-policy-agent/opa v1.1.0
github.com/open-policy-agent/opa v1.2.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0
github.com/opencontainers/image-spec v1.1.1
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif/v2 v2.3.3
github.com/owenrumney/squealer v1.2.6
github.com/owenrumney/squealer v1.2.11 // indirect
github.com/package-url/packageurl-go v0.1.3
github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/samber/lo v1.49.0
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c
github.com/samber/lo v1.49.1
github.com/sassoftware/go-rpmutils v0.4.0
github.com/secure-systems-lab/go-securesystemslib v0.9.0
github.com/sigstore/rekor v1.3.8
github.com/sigstore/rekor v1.3.9
github.com/sirupsen/logrus v1.9.3
github.com/sosedoff/gitkit v0.4.0
github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
github.com/spf13/cast v1.7.1
github.com/spf13/cobra v1.8.1
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.19.0
github.com/spf13/cobra v1.9.1
github.com/spf13/pflag v1.0.6
github.com/spf13/viper v1.20.0
github.com/stretchr/testify v1.10.0
github.com/testcontainers/testcontainers-go v0.35.0
github.com/testcontainers/testcontainers-go/modules/localstack v0.35.0
github.com/tetratelabs/wazero v1.8.2
github.com/tetratelabs/wazero v1.9.0
github.com/twitchtv/twirp v8.1.3+incompatible
github.com/xeipuuv/gojsonschema v1.2.0
github.com/xlab/treeprint v1.2.0
github.com/zclconf/go-cty v1.16.2
github.com/zclconf/go-cty-yaml v1.1.0
go.etcd.io/bbolt v1.3.11
golang.org/x/crypto v0.32.0
go.etcd.io/bbolt v1.4.0
golang.org/x/crypto v0.36.0
golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
golang.org/x/mod v0.22.0
golang.org/x/net v0.34.0
golang.org/x/sync v0.10.0
golang.org/x/term v0.28.0
golang.org/x/text v0.21.0
golang.org/x/mod v0.24.0
golang.org/x/net v0.37.0
golang.org/x/sync v0.12.0
golang.org/x/term v0.30.0
golang.org/x/text v0.23.0
golang.org/x/vuln v1.1.4
golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
google.golang.org/protobuf v1.36.4
google.golang.org/protobuf v1.36.5
gopkg.in/yaml.v3 v3.0.1
helm.sh/helm/v3 v3.17.0
k8s.io/api v0.32.1
helm.sh/helm/v3 v3.17.2
k8s.io/api v0.32.3
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
modernc.org/sqlite v1.34.5
sigs.k8s.io/yaml v1.4.0
modernc.org/sqlite v1.36.1
sigs.k8s.io/yaml v1.4.0 // indirect
)
require (
cel.dev/expr v0.19.0 // indirect
cloud.google.com/go v0.116.0 // indirect
cloud.google.com/go/auth v0.13.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
cloud.google.com/go/auth v0.14.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
cloud.google.com/go/compute/metadata v0.6.0 // indirect
cloud.google.com/go/iam v1.2.2 // indirect
cloud.google.com/go/monitoring v1.21.2 // indirect
cloud.google.com/go/storage v1.45.0 // indirect
cloud.google.com/go/storage v1.49.0 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
@@ -156,7 +157,7 @@ require (
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
github.com/DataDog/zstd v1.5.5 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
@@ -169,11 +170,10 @@ require (
github.com/Masterminds/squirrel v1.5.4 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/Microsoft/hcsshim v0.12.9 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v1.1.5 // indirect
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/agnivade/levenshtein v1.2.0 // indirect
github.com/agnivade/levenshtein v1.2.1 // indirect
github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
@@ -186,10 +186,10 @@ require (
github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.5.0 // indirect
github.com/cloudflare/circl v1.6.0 // indirect
github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
github.com/containerd/cgroups/v3 v3.0.3 // indirect
github.com/containerd/containerd v1.7.25 // indirect
github.com/containerd/containerd v1.7.27 // indirect
github.com/containerd/containerd/api v1.8.0 // indirect
github.com/containerd/continuity v0.4.5 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
@@ -203,7 +203,7 @@ require (
github.com/cpuguy83/dockercfg v0.3.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
github.com/cyphar/filepath-securejoin v0.3.6 // indirect
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
@@ -213,7 +213,7 @@ require (
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
github.com/dsnet/compress v0.0.1 // indirect
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
@@ -230,7 +230,7 @@ require (
github.com/go-git/go-billy/v5 v5.6.2 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-jose/go-jose/v4 v4.0.4 // indirect
github.com/go-jose/go-jose/v4 v4.0.5 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.3.0 // indirect
@@ -243,20 +243,20 @@ require (
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.9.5 // indirect
github.com/goccy/go-yaml v1.15.23 // indirect
github.com/gofrs/uuid v4.3.1+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/btree v1.1.2 // indirect
github.com/google/certificate-transparency-go v1.1.8 // indirect
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/s2a-go v0.1.8 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
@@ -268,7 +268,6 @@ require (
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/golang-lru v0.6.0 // indirect
github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
github.com/hashicorp/terraform-json v0.24.0 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -316,7 +315,6 @@ require (
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/runtime-spec v1.2.0 // indirect
github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 // indirect
github.com/opencontainers/selinux v1.11.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
@@ -327,17 +325,16 @@ require (
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
github.com/prometheus/client_golang v1.20.5 // indirect
github.com/prometheus/client_golang v1.21.0 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.61.0 // indirect
github.com/prometheus/common v0.62.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/rubenv/sql-migrate v1.7.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sagikazarmark/locafero v0.6.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/sagikazarmark/locafero v0.7.0 // indirect
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
@@ -348,12 +345,11 @@ require (
github.com/sigstore/cosign/v2 v2.2.4 // indirect
github.com/sigstore/sigstore v1.8.12 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/skeema/knownhosts v1.3.0 // indirect
github.com/skeema/knownhosts v1.3.1 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/spf13/afero v1.12.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/tchap/go-patricia/v2 v2.3.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
@@ -387,12 +383,12 @@ require (
go.opentelemetry.io/otel/trace v1.34.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/oauth2 v0.25.0 // indirect
golang.org/x/sys v0.29.0 // indirect
golang.org/x/oauth2 v0.26.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
golang.org/x/time v0.9.0 // indirect
golang.org/x/time v0.10.0 // indirect
golang.org/x/tools v0.29.0 // indirect
google.golang.org/api v0.216.0 // indirect
google.golang.org/api v0.218.0 // indirect
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
@@ -400,40 +396,58 @@ require (
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
k8s.io/apiextensions-apiserver v0.32.0 // indirect
k8s.io/apimachinery v0.32.1 // indirect
k8s.io/apiserver v0.32.0 // indirect
k8s.io/cli-runtime v0.32.1 // indirect
k8s.io/client-go v0.32.1 // indirect
k8s.io/component-base v0.32.1 // indirect
k8s.io/apiextensions-apiserver v0.32.2 // indirect
k8s.io/apimachinery v0.32.3 // indirect
k8s.io/apiserver v0.32.2 // indirect
k8s.io/cli-runtime v0.32.3 // indirect
k8s.io/client-go v0.32.3 // indirect
k8s.io/component-base v0.32.3 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
k8s.io/kubectl v0.32.1 // indirect
modernc.org/libc v1.55.3 // indirect
modernc.org/mathutil v1.6.0 // indirect
modernc.org/memory v1.8.0 // indirect
mvdan.cc/sh/v3 v3.10.0 // indirect
k8s.io/kubectl v0.32.3 // indirect
modernc.org/libc v1.61.13 // indirect
modernc.org/mathutil v1.7.1 // indirect
modernc.org/memory v1.8.2 // indirect
mvdan.cc/sh/v3 v3.11.0 // indirect
oras.land/oras-go v1.2.5 // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/kustomize/api v0.18.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
tags.cncf.io/container-device-interface v0.8.0 // indirect
tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
)
require (
github.com/alessio/shellescape v1.4.1 // indirect
github.com/aws/aws-sdk-go v1.55.6 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
github.com/google/go-github/v31 v31.0.0 // indirect
github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
github.com/google/subcommands v1.2.0 // indirect
github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3 // indirect
github.com/oklog/ulid/v2 v2.1.0 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/samber/oops v1.15.0 // indirect
github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
sigs.k8s.io/kind v0.19.0 // indirect
)
tool (
github.com/google/wire/cmd/wire
github.com/knqyf263/labeler
github.com/magefile/mage
golang.org/x/tools/cmd/goyacc
sigs.k8s.io/kind
)

446
go.sum
View File

@@ -101,10 +101,10 @@ cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVo
cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo=
cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0=
cloud.google.com/go/assuredworkloads v1.10.0/go.mod h1:kwdUQuXcedVdsIaKgKTp9t0UJkE5+PAVNhdQm4ZVq2E=
cloud.google.com/go/auth v0.13.0 h1:8Fu8TZy167JkW8Tj3q7dIkr2v4cndv41ouecJx0PAHs=
cloud.google.com/go/auth v0.13.0/go.mod h1:COOjD9gwfKNKz+IIduatIhYJQIc0mG3H102r/EMxX6Q=
cloud.google.com/go/auth/oauth2adapt v0.2.6 h1:V6a6XDu2lTwPZWOawrAa9HUK+DB2zfJyTuciBG5hFkU=
cloud.google.com/go/auth/oauth2adapt v0.2.6/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8=
cloud.google.com/go/auth v0.14.0 h1:A5C4dKV/Spdvxcl0ggWwWEzzP7AZMJSEIgrkngwhGYM=
cloud.google.com/go/auth v0.14.0/go.mod h1:CYsoRL1PdiDuqeQpZE0bP2pnPrGqFcOkI0nldEQis+A=
cloud.google.com/go/auth/oauth2adapt v0.2.7 h1:/Lc7xODdqcEw8IrZ9SvwnlLX6j9FHQM74z6cBk9Rw6M=
cloud.google.com/go/auth/oauth2adapt v0.2.7/go.mod h1:NTbTTzfvPl1Y3V1nPpOgl2w6d/FjO7NNUQaWSox6ZMc=
cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0=
cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8=
cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8=
@@ -547,8 +547,8 @@ cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeL
cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y=
cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
cloud.google.com/go/storage v1.45.0 h1:5av0QcIVj77t+44mV4gffFC/LscFRUhto6UBMB5SimM=
cloud.google.com/go/storage v1.45.0/go.mod h1:wpPblkIuMP5jCB/E48Pz9zIo2S/zD8g+ITmxKkPCITE=
cloud.google.com/go/storage v1.49.0 h1:zenOPBOWHCnojRd9aJZAyQXBYqkJkdQS42dxL55CIMw=
cloud.google.com/go/storage v1.49.0/go.mod h1:k1eHhhpLvrPjVGfo0mOUPEJ4Y2+a/Hv5PiwehZI9qGU=
cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w=
cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I=
cloud.google.com/go/storagetransfer v1.7.0/go.mod h1:8Giuj1QNb1kfLAiWM1bN6dHzfdlDAVC9rv9abHot2W4=
@@ -639,10 +639,10 @@ github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1 h1:1mvYtZfWQAnwNah/C+Z+Jb9rQH95LPE2vlmMuWAHJk8=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1/go.mod h1:75I/mXtme1JyWFtz8GocPHVFyH421IBoZErnO16dd0k=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.1 h1:Bk5uOhSAenHyR5P61D/NzeQCv+4fEVV8mOkJ82NqpWw=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.1/go.mod h1:QZ4pw3or1WPmRBxf0cHd1tknzrT54WPBOQoGutCPvSU=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2/go.mod h1:SqINnQ9lVVdRlyC8cd1lCI0SdX4n2paeABd2K8ggfnE=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.0 h1:7rKG7UmnrxX4N53TFhkYqjc+kVUZuw0fL8I3Fh+Ld9E=
@@ -673,9 +673,10 @@ github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUM
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 h1:kYRSnvJju5gYVyhkij+RTJ/VR6QIUaCfWeaFm2ycsjQ=
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 h1:H5xDQaE3XowWfhZRUpnfC+rGZMEVoSiji+b+/HFAPU4=
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
@@ -718,8 +719,6 @@ github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEP
github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
github.com/ProtonMail/go-crypto v1.1.5 h1:eoAQfK2dwL+tFSFpr7TbOaPNUbPiJj4fLYwwGE1FQO4=
github.com/ProtonMail/go-crypto v1.1.5/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
@@ -730,8 +729,8 @@ github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1o
github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY=
github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm/4RlzPXRlREEwqTHAN3T56Bv2ITsFT3gY=
github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
@@ -803,14 +802,14 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.6.1 h1:ANxKl+c9/k3Uk0YNQwpFBx++CG9Goi5T0YeN7Qimmf4=
github.com/aquasecurity/trivy-checks v1.6.1/go.mod h1:xjHg4ivIIIFD7FFNpGrqxi1pRgAW1EXeG4VlkGiymjI=
github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e h1:O5j5SeCNBrXApgBTOobO06q4LMxJxIhcSGE7H6Y154E=
github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e/go.mod h1:gS8VhlNxhraiq60BBnJw9kGtjeMspQ9E8pX24jCL4jg=
github.com/aquasecurity/trivy-checks v1.8.0 h1:frMR06SEeDff1oEO6wBaTCqZCTBmZ+j8QAAl5EM1M4w=
github.com/aquasecurity/trivy-checks v1.8.0/go.mod h1:zc1DGUFDUP/NUEMXlfaMsnVAEEEsygJrcd4SRQ7Mpko=
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d h1:T16WrTi21YsMLQVhtp1r1hOIYK3x4BjnftpL9cp64Eo=
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d/go.mod h1:4bTsQPtMBN8v+UfUlE1aQBN1imftefnDafHBF85+aT8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.7.0 h1:0pRJFSslUYd9xzQIEw1c0mS7k1Vv489nH/LsxeU6yME=
github.com/aquasecurity/trivy-kubernetes v0.7.0/go.mod h1:O6JZMicTmZrsjEpGzsnBMhPTHAfpnTMqXTAMidG6M+M=
github.com/aquasecurity/trivy-kubernetes v0.8.0 h1:GWnRPSPCmXnd5NTMZdobQx6xO2XzEtvxcv0gjS2tYnY=
github.com/aquasecurity/trivy-kubernetes v0.8.0/go.mod h1:ueJJboNlUyi99DJvO5ZyZ/jnJWvZ0eTA6AzKxHHqMF8=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
@@ -820,44 +819,44 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W
github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk=
github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/aws/aws-sdk-go-v2 v1.34.0 h1:9iyL+cjifckRGEVpRKZP3eIxVlL06Qk1Tk13vreaVQU=
github.com/aws/aws-sdk-go-v2 v1.34.0/go.mod h1:JgstGg0JjWU1KpVJjD5H0y0yyAIpSdKEq556EI6yOOM=
github.com/aws/aws-sdk-go-v2/config v1.29.2 h1:JuIxOEPcSKpMB0J+khMjznG9LIhIBdmqNiEcPclnwqc=
github.com/aws/aws-sdk-go-v2/config v1.29.2/go.mod h1:HktTHregOZwNSM/e7WTfVSu9RCX+3eOv+6ij27PtaYs=
github.com/aws/aws-sdk-go-v2/credentials v1.17.55 h1:CDhKnDEaGkLA5ZszV/qw5uwN5M8rbv9Cl0JRN+PRsaM=
github.com/aws/aws-sdk-go-v2/credentials v1.17.55/go.mod h1:kPD/vj+RB5MREDUky376+zdnjZpR+WgdBBvwrmnlmKE=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25 h1:kU7tmXNaJ07LsyN3BUgGqAmVmQtq0w6duVIHAKfp0/w=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.25/go.mod h1:OiC8+OiqrURb1wrwmr/UbOVLFSWEGxjinj5C299VQdo=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29 h1:Ej0Rf3GMv50Qh4G4852j2djtoDb7AzQ7MuQeFHa3D70=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.29/go.mod h1:oeNTC7PwJNoM5AznVr23wxhLnuJv0ZDe5v7w0wqIs9M=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29 h1:6e8a71X+9GfghragVevC5bZqvATtc3mAMgxpSNbgzF0=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.29/go.mod h1:c4jkZiQ+BWpNqq7VtrxjwISrLrt/VvPq3XiopkUIolI=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 h1:Pg9URiobXy85kgFev3og2CuOZ8JZUBENF+dcgWBaYNk=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
github.com/aws/aws-sdk-go-v2/config v1.29.9 h1:Kg+fAYNaJeGXp1vmjtidss8O2uXIsXwaRqsQJKXVr+0=
github.com/aws/aws-sdk-go-v2/config v1.29.9/go.mod h1:oU3jj2O53kgOU4TXq/yipt6ryiooYjlkqqVaZk7gY/U=
github.com/aws/aws-sdk-go-v2/credentials v1.17.62 h1:fvtQY3zFzYJ9CfixuAQ96IxDrBajbBWGqjNTCa79ocU=
github.com/aws/aws-sdk-go-v2/credentials v1.17.62/go.mod h1:ElETBxIQqcxej++Cs8GyPBbgMys5DgQPTwo7cUPDKt8=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 h1:SeDJWG4pmye+/aO6k+zt9clPTUy1MXqUmkW8rbAddQg=
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1/go.mod h1:wRzaW0v9GGQS0h//wpsVDw3Hah5gs5UP+NxoyGeZIGM=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.201.1 h1:HJUHMHbBg3stGO7ZZfpwbeK9xVhGS7GK8NScady6Moc=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.201.1/go.mod h1:cRD0Fhzj0YD+uAh16NChQAv9/BB0S9x3YK9hLx1jb/k=
github.com/aws/aws-sdk-go-v2/service/ecr v1.38.7 h1:3fxpNAXVQV7J3dymLoQjoI5AxbrI4/FDYlfk+wPoB3s=
github.com/aws/aws-sdk-go-v2/service/ecr v1.38.7/go.mod h1:vj6+DOvmrbZgqmZvyrbMienKS3PQTHJpqa+BRBKR6Xc=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.207.1 h1:yIbrcRq0nKF75IlSiUlo4g/Qe3RzGBdDCR+WRZLf5IE=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.207.1/go.mod h1:ouvGEfHbLaIlWwpDpOVWPWR+YwO0HDv3vm5tYLq8ImY=
github.com/aws/aws-sdk-go-v2/service/ecr v1.42.1 h1:mgtRN6wS2Frq29O7YNTn18ieokL193RFpLhUbsvs7o0=
github.com/aws/aws-sdk-go-v2/service/ecr v1.42.1/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 h1:D4oz8/CzT9bAEYtVhSBmFj2dNOtaHOtMKc2vHBwYizA=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2/go.mod h1:Za3IHqTQ+yNcRHxu1OFucBh0ACZT4j4VQFF0BqpZcLY=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10 h1:hN4yJBGswmFTOVYqmbz1GBs9ZMtQe8SrYxPwrkrlRv8=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.10/go.mod h1:TsxON4fEZXyrKY+D+3d2gSTyJkGORexIYab9PTf56DA=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
github.com/aws/aws-sdk-go-v2/service/kms v1.37.8 h1:KbLZjYqhQ9hyB4HwXiheiflTlYQa0+Fz0Ms/rh5f3mk=
github.com/aws/aws-sdk-go-v2/service/kms v1.37.8/go.mod h1:ANs9kBhK4Ghj9z1W+bsr3WsNaPF71qkgd6eE6Ekol/Y=
github.com/aws/aws-sdk-go-v2/service/s3 v1.74.1 h1:9LawY3cDJ3HE+v2GMd5SOkNLDwgN4K7TsCjyVBYu/L4=
github.com/aws/aws-sdk-go-v2/service/s3 v1.74.1/go.mod h1:hHnELVnIHltd8EOF3YzahVX6F6y2C6dNqpRj1IMkS5I=
github.com/aws/aws-sdk-go-v2/service/sso v1.24.12 h1:kznaW4f81mNMlREkU9w3jUuJvU5g/KsqDV43ab7Rp6s=
github.com/aws/aws-sdk-go-v2/service/sso v1.24.12/go.mod h1:bZy9r8e0/s0P7BSDHgMLXK2KvdyRRBIQ2blKlvLt0IU=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11 h1:mUwIpAvILeKFnRx4h1dEgGEFGuV8KJ3pEScZWVFYuZA=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.11/go.mod h1:JDJtD+b8HNVv71axz8+S5492KM8wTzHRFpMKQbPlYxw=
github.com/aws/aws-sdk-go-v2/service/sts v1.33.10 h1:g9d+TOsu3ac7SgmY2dUf1qMgu/uJVTlQ4VCbH6hRxSw=
github.com/aws/aws-sdk-go-v2/service/sts v1.33.10/go.mod h1:WZfNmntu92HO44MVZAubQaz3qCuIdeOdog2sADfU6hU=
github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
github.com/aws/aws-sdk-go-v2/service/s3 v1.78.1 h1:1M0gSbyP6q06gl3384wpoKPaH9G16NPqZFieEhLboSU=
github.com/aws/aws-sdk-go-v2/service/s3 v1.78.1/go.mod h1:4qzsZSzB/KiX2EzDjs9D7A8rI/WGJxZceVJIHqtJjIU=
github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 h1:8JdC7Gr9NROg1Rusk25IcZeTO59zLxsKgE0gkh5O6h0=
github.com/aws/aws-sdk-go-v2/service/sso v1.25.1/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 h1:KwuLovgQPcdjNMfFt9OhUd9a2OwcOKhxfvF4glTzLuA=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 h1:PZV5W8yk4OtH1JAuhV2PXwwO9v5G5Aoj+eMCn4T+1Kc=
github.com/aws/aws-sdk-go-v2/service/sts v1.33.17/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -910,8 +909,8 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
github.com/cheggaaa/pb/v3 v3.1.6 h1:h0x+vd7EiUohAJ29DJtJy+SNAc55t/elW3jCD086EXk=
github.com/cheggaaa/pb/v3 v3.1.6/go.mod h1:urxmfVtaxT+9aWk92DbsvXFZtNSWQSO5TRAp+MJ3l1s=
github.com/cheggaaa/pb/v3 v3.1.7 h1:2FsIW307kt7A/rz/ZI2lvPO+v3wKazzE4K/0LtTWsOI=
github.com/cheggaaa/pb/v3 v3.1.7/go.mod h1:/Ji89zfVPeC/u5j8ukD0MBPHt2bzTYp74lQ7KlgFWTQ=
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4=
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589/go.mod h1:OuDyvmLnMCwa2ep4Jkm6nyA0ocJuZlGyk2gGseVzERM=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@@ -920,8 +919,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME=
github.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cloudflare/circl v1.5.0 h1:hxIWksrX6XN5a1L2TI/h53AGPhNHoUBo+TD1ms9+pys=
github.com/cloudflare/circl v1.5.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -945,12 +944,12 @@ github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
github.com/containerd/containerd v1.7.25 h1:khEQOAXOEJalRO228yzVsuASLH42vT7DIo9Ss+9SMFQ=
github.com/containerd/containerd v1.7.25/go.mod h1:tWfHzVI0azhw4CT2vaIjsb2CoV4LJ9PrMPaULAr21Ok=
github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
github.com/containerd/containerd/v2 v2.0.2 h1:GmH/tRBlTvrXOLwSpWE2vNAm8+MqI6nmxKpKBNKY8Wc=
github.com/containerd/containerd/v2 v2.0.2/go.mod h1:wIqEvQ/6cyPFUGJ5yMFanspPabMLor+bF865OHvNTTI=
github.com/containerd/containerd/v2 v2.0.4 h1:+r7yJMwhTfMm3CDyiBjMBQO8a9CTBxL2Bg/JtqtIwB8=
github.com/containerd/containerd/v2 v2.0.4/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY=
github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
@@ -977,16 +976,16 @@ github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDh
github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs=
github.com/danieljoos/wincred v1.2.1/go.mod h1:uGaFL9fDn3OLTvzCGulzE+SzjEe5NGlh5FdCcyfPwps=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -1018,8 +1017,8 @@ github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvD
github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v27.5.0+incompatible h1:um++2NcQtGRTz5eEgO6aJimo6/JxrTXC941hd05JO6U=
github.com/docker/docker v27.5.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker v27.5.1+incompatible h1:4PYU5dnBYqRQi0294d1FBECqT9ECWeQAIfE8q4YnPY8=
github.com/docker/docker v27.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -1033,14 +1032,14 @@ github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
github.com/dsnet/compress v0.0.1 h1:PlZu0n3Tuv04TzpfPbrnI0HW/YwodEXDS+oPKahKF0Q=
github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/elazarl/goproxy v1.4.0 h1:4GyuSbFa+s26+3rmYNSuUVsx+HgPrV1bk1jXI0l9wjM=
github.com/elazarl/goproxy v1.4.0/go.mod h1:X/5W/t+gzDyLfHW4DrMdpjqYjpXsURlBt9lpBDxZZZQ=
github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/emicklei/proto v1.12.1 h1:6n/Z2pZAnBwuhU66Gs8160B8rrrYKo7h2F2sCOnNceE=
@@ -1068,11 +1067,12 @@ github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6
github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -1092,8 +1092,6 @@ github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/
github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=
github.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=
@@ -1114,8 +1112,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
github.com/go-git/go-git/v5 v5.13.2 h1:7O7xvsK7K+rZPKW6AQR1YyNhfywkv7B8/FsP3ki6Zv0=
github.com/go-git/go-git/v5 v5.13.2/go.mod h1:hWdW5P4YZRjmpGHwRH2v3zkWcNl6HeXaXQEMGb3NJ9A=
github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60=
github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k=
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -1125,8 +1123,10 @@ github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535 h1:yE7argOs92u+sSCRgqqe6eF+cDaVhSPlioy1UkA0p/w=
github.com/go-json-experiment/json v0.0.0-20250211171154-1ae217ad3535/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
@@ -1164,16 +1164,8 @@ github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhO
github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
github.com/go-piv/piv-go v1.11.0 h1:5vAaCdRTFSIW4PeqMbnsDlUZ7odMYWnHBDGdmtU/Zhg=
github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
github.com/go-playground/validator/v10 v10.18.0 h1:BvolUXjp4zuvkZ5YN5t7ebzbhlUtPsPm2S9NAZ5nl9U=
github.com/go-playground/validator/v10 v10.18.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
@@ -1187,12 +1179,14 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
github.com/goccy/go-yaml v1.8.1/go.mod h1:wS4gNoLalDSJxo/SpngzPQ2BN4uuZVLCmbM4S3vd4+Y=
github.com/goccy/go-yaml v1.9.5 h1:Eh/+3uk9kLxG4koCX6lRMAPS1OaMSAi+FJcya0INdB0=
github.com/goccy/go-yaml v1.9.5/go.mod h1:U/jl18uSupI5rdI2jmuCswEA2htH9eXfferR3KfscvA=
github.com/goccy/go-yaml v1.15.23 h1:WS0GAX1uNPDLUvLkNU2vXq6oTnsmfVFocjQ/4qA48qo=
github.com/goccy/go-yaml v1.15.23/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
github.com/gocsaf/csaf/v3 v3.1.1 h1:g8kmqIwf8zqcMdQgaQT5UcPcyzvXxJyleT/T8Rt2OmQ=
github.com/gocsaf/csaf/v3 v3.1.1/go.mod h1:EpUCrQg69i+Y66MphmQvVbcj333GFLjXOYHg1zoXVso=
github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
@@ -1205,10 +1199,10 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
@@ -1280,14 +1274,18 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI=
github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6CCb0plo=
github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
github.com/google/go-github/v55 v55.0.0/go.mod h1:JLahOTA1DnXzhxEymmFF5PP2tSS9JVNj68mSZNDwskA=
github.com/google/go-github/v62 v62.0.0 h1:/6mGCaRywZz9MuHyw9gD1CwsbmBX8GWsbFkwMmHdhl4=
github.com/google/go-github/v62 v62.0.0/go.mod h1:EMxeUqGJq2xRu9DYBMwel/mr7kZrzUOfQmmpYrZn2a4=
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -1322,10 +1320,13 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM=
github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA=
github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 h1:SJ+NtwL6QaZ21U+IrK7d0gGgpjGGvd2kz+FzTHVzdqI=
github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2/go.mod h1:Tv1PlzqC9t8wNnpPdctvtSUOPUUg4SHeE6vR1Ir2hmg=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
github.com/google/subcommands v1.2.0 h1:vWQspBTo2nEqTUFita5/KeEWlUL8kQObDFbub/EN9oE=
github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w=
github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM=
@@ -1411,8 +1412,8 @@ github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs
github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
github.com/hashicorp/hc-install v0.9.1 h1:gkqTfE3vVbafGQo6VZXcy2v5yoz2bE0+nhZXruCuODQ=
github.com/hashicorp/hc-install v0.9.1/go.mod h1:pWWvN/IrfeBK4XPeXXYkL6EjMufHkCK5DvwxeLKuBf0=
github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y6xGI0I=
github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
github.com/hashicorp/terraform-exec v0.22.0 h1:G5+4Sz6jYZfRYUCg6eQgDsqTzkNXV+fP8l+uRmZHj64=
@@ -1431,6 +1432,7 @@ github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:
github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -1439,6 +1441,7 @@ github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E=
github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY=
github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
@@ -1482,6 +1485,8 @@ github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 h1:aC6MEAs
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
github.com/knqyf263/go-rpmdb v0.1.1 h1:oh68mTCvp1XzxdU7EfafcWzzfstUZAEa3MW0IJye584=
github.com/knqyf263/go-rpmdb v0.1.1/go.mod h1:9LQcoMCMQ9vrF7HcDtXfvqGO4+ddxFQ8+YF/0CVGDww=
github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3 h1:AvRd4VDhlo8/opGjS79zaVmIfoZzEOtBV1PvSRUkC7o=
github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3/go.mod h1:DfoJpLAw0HeB4cYJFg1S8LqtYDvSKv3rh3wGAFwv5Bg=
github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -1503,8 +1508,6 @@ github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtB
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ=
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk=
github.com/liamg/memoryfs v1.6.0 h1:jAFec2HI1PgMTem5gR7UT8zi9u4BfG5jorCRlLH06W8=
@@ -1533,8 +1536,8 @@ github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e h1:nCgF1JE
github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e/go.mod h1:XFWPTlAcEL733RUjbr0QBybdt6oK2DH7LZk8id2qtd4=
github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd h1:JEIW94K3spsvBI5Xb9PGhKSIza9/jxO1lF30tPCAJlA=
github.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd/go.mod h1:3XMMY1M486mWGTD13WPItg6FsgflQR72ZMAkd+gsyoQ=
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 h1:AevUBW4cc99rAF8q8vmddIP8qd/0J5s/UyltGbp66dg=
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08/go.mod h1:JOkBRrE1HvgTyjk6diFtNGgr8XJMtIfiBzkL5krqzVk=
github.com/masahiro331/go-mvn-version v0.0.0-20250131095131-f4974fa13b8a h1:eLvAzVoRfHEOl64OxFhepPf3vj7SKvXY/tFc3BS0b7s=
github.com/masahiro331/go-mvn-version v0.0.0-20250131095131-f4974fa13b8a/go.mod h1:jZ3F25l7DbD7l7DcA8aj7eo1EZ84nbzcQHBB4lCSrI8=
github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd h1:Y30EzvuoVp97b0unb/GOFXzBUKRXZXUN2e0wYmvC+ic=
github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd/go.mod h1:5f7mCJGW9cJb8SDn3z8qodGxpMCOo8d/2nls/tiwRrw=
github.com/masahiro331/go-xfs-filesystem v0.0.0-20231205045356-1b22259a6c44 h1:VmSjn0UCyfXUNdePDr7uM/uZTnGSp+mKD5+cYkEoLx4=
@@ -1542,13 +1545,13 @@ github.com/masahiro331/go-xfs-filesystem v0.0.0-20231205045356-1b22259a6c44/go.m
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
@@ -1562,8 +1565,6 @@ github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxU
github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032 h1:TLygBUBxikNJJfLwgm+Qwdgq1FtfV8Uh7bcxRyTzK8s=
github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032/go.mod h1:vYT9HE7WCvL64iVeZylKmCsWKfE+JZ8105iuh2Trk8g=
github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
@@ -1584,7 +1585,6 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
github.com/moby/buildkit v0.18.2 h1:l86uBvxh4ntNoUUg3Y0eGTbKg1PbUh6tawJ4Xt75SpQ=
github.com/moby/buildkit v0.18.2/go.mod h1:vCR5CX8NGsPTthTg681+9kdmfvkvqJBXEv71GZe5msU=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -1620,7 +1620,6 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI=
github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523ujmLuiNUb6JsjtHcNA70u1jitrrdnuyA=
github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -1628,6 +1627,7 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
@@ -1636,6 +1636,8 @@ github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
github.com/oklog/ulid/v2 v2.1.0 h1:+9lhoxAP56we25tyYETBBY1YLA2SaoLvUFgrP2miPJU=
github.com/oklog/ulid/v2 v2.1.0/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM=
github.com/oleiade/reflections v1.0.1/go.mod h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -1652,18 +1654,14 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
github.com/open-policy-agent/opa v1.1.0 h1:HMz2evdEMTyNqtdLjmu3Vyx06BmhNYAx67Yz3Ll9q2s=
github.com/open-policy-agent/opa v1.1.0/go.mod h1:T1pASQ1/vwfTa+e2fYcfpLCvWgYtqtiUv+IuA/dLPQs=
github.com/open-policy-agent/opa v1.2.0 h1:88NDVCM0of1eO6Z4AFeL3utTEtMuwloFmWWU7dRV1z0=
github.com/open-policy-agent/opa v1.2.0/go.mod h1:30euUmOvuBoebRCcJ7DMF42bRBOPznvt0ACUMYDUGVY=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0=
github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI=
github.com/opencontainers/selinux v1.9.1/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
@@ -1675,12 +1673,16 @@ github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88
github.com/owenrumney/go-sarif v1.1.1/go.mod h1:dNDiPlF04ESR/6fHlPyq7gHKmrM0sHUvAGjsoh8ZH0U=
github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE26uKQIIU=
github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
github.com/owenrumney/squealer v1.2.6 h1:oxqhVqB99kZXAHLpKbpIMevxLgF1/Ihx3DTbO+9312w=
github.com/owenrumney/squealer v1.2.6/go.mod h1:k57s5gAGAWLhDmHLUDfycLx50cuviLC0CxBYxVep4yA=
github.com/owenrumney/squealer v1.2.11 h1:vMudrj70VeOzY+t7Phz9Yo0wAgm4kXes9DcTLBVDqGY=
github.com/owenrumney/squealer v1.2.11/go.mod h1:8KOuitfOfmS/OtzgxQbxnnrbngAGopfgKB/BiGGpqGA=
github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
@@ -1715,8 +1717,8 @@ github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjz
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
github.com/prometheus/client_golang v1.21.0 h1:DIsaGmiaBkSangBgMtWdNfxbMNdku5IK6iNhrEqWvdA=
github.com/prometheus/client_golang v1.21.0/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -1726,8 +1728,8 @@ github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p
github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ=
github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s=
github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
@@ -1751,23 +1753,25 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
github.com/rubenv/sql-migrate v1.7.1 h1:f/o0WgfO/GqNuVg+6801K/KW3WdDSupzSjDYODmiUq4=
github.com/rubenv/sql-migrate v1.7.1/go.mod h1:Ob2Psprc0/3ggbM6wCzyYVFFuc6FyZrb2AS+ezLDFb4=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c h1:8gOLsYwaY2JwlTMT4brS5/9XJdrdIbmk2obvQ748CC0=
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c/go.mod h1:kwM/7r/rVluTE8qJbHAffduuqmSv4knVQT2IajGvSiA=
github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk=
github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
github.com/samber/lo v1.49.0 h1:AGnTnQrg1jpFuwECPUSoxZCfVH5W22b605kWSry3YxM=
github.com/samber/lo v1.49.0/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
github.com/samber/lo v1.49.1 h1:4BIFyVfuQSEpluc7Fua+j1NolZHiEHEpaSEKdsH0tew=
github.com/samber/lo v1.49.1/go.mod h1:dO6KHFzUKXgP8LDhU0oI8d2hekjXnGOu0DB8Jecxd6o=
github.com/samber/oops v1.15.0 h1:/mF33KAqA2TugU6y/tomFpK6G6mJB7g0aqRyHkaSIeg=
github.com/samber/oops v1.15.0/go.mod h1:9LpLZkpjojEt/of7EpG5o65i/Lp23ddDvGhg2L871Ow=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
github.com/sassoftware/go-rpmutils v0.4.0 h1:ojND82NYBxgwrV+mX1CWsd5QJvvEZTKddtCdFLPWhpg=
@@ -1799,8 +1803,8 @@ github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDF
github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y=
github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc=
github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8=
github.com/sigstore/rekor v1.3.8 h1:B8kJI8mpSIXova4Jxa6vXdJyysRxFGsEsLKBDl0rRjA=
github.com/sigstore/rekor v1.3.8/go.mod h1:/dHFYKSuxEygfDRnEwyJ+ZD6qoVYNXQdi1mJrKvKWsI=
github.com/sigstore/rekor v1.3.9 h1:sUjRpKVh/hhgqGMs0t+TubgYsksArZ6poLEC3MsGAzU=
github.com/sigstore/rekor v1.3.9/go.mod h1:xThNUhm6eNEmkJ/SiU/FVU7pLY2f380fSDZFsdDWlcM=
github.com/sigstore/sigstore v1.8.12 h1:S8xMVZbE2z9ZBuQUEG737pxdLjnbOIcFi5v9UFfkJFc=
github.com/sigstore/sigstore v1.8.12/go.mod h1:+PYQAa8rfw0QdPpBcT+Gl3egKD9c+TUgAlF12H3Nmjo=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.12 h1:EC3UmIaa7nV9sCgSpVevmvgvTYTkMqyrRbj5ojPp7tE=
@@ -1815,11 +1819,10 @@ github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00J
github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
github.com/sosedoff/gitkit v0.4.0 h1:opyQJ/h9xMRLsz2ca/2CRXtstePcpldiZN8DpLLF8Os=
@@ -1833,16 +1836,20 @@ github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYec
github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/cobra v0.0.0-20170130214531-35136c09d8da/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.20.0 h1:zrxIyR3RQIOsarIrgL8+sAvALXul9jeEPa06Y0Ph6vY=
github.com/spf13/viper v1.20.0/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY=
github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -1869,8 +1876,6 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs=
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=
github.com/tchap/go-patricia/v2 v2.3.2 h1:xTHFutuitO2zqKAQ5rCROYgUb7Or/+IC3fts9/Yc7nM=
@@ -1881,12 +1886,18 @@ github.com/testcontainers/testcontainers-go v0.35.0 h1:uADsZpTKFAtp8SLK+hMwSaa+X
github.com/testcontainers/testcontainers-go v0.35.0/go.mod h1:oEVBj5zrfJTrgjwONs1SsRbnBtH9OKl+IGl3UMcr2B4=
github.com/testcontainers/testcontainers-go/modules/localstack v0.35.0 h1:0EbOXcy8XQkyDUs1Y9YPUHOUByNnlGsLi5B3ln8F/RU=
github.com/testcontainers/testcontainers-go/modules/localstack v0.35.0/go.mod h1:MlHuaWQimz+15dmQ6R2S1vpYxhGFEpmRZQsL2NVWNng=
github.com/tetratelabs/wazero v1.8.2 h1:yIgLR/b2bN31bjxwXHD8a3d+BogigR952csSDdLYEv4=
github.com/tetratelabs/wazero v1.8.2/go.mod h1:yAI0XTsMBhREkM/YDAK/zNou3GoiAce1P6+rp/wQhjs=
github.com/tetratelabs/wazero v1.9.0 h1:IcZ56OuxrtaEz8UYNRHBrUa9bYeX9oVY93KspZZBf/I=
github.com/tetratelabs/wazero v1.9.0/go.mod h1:TSbcXCfFP0L2FGkRPxHphadXPjo1T6W+CseNNY7EkjM=
github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI=
github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis=
github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0=
github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw=
github.com/tink-crypto/tink-go/v2 v2.3.0 h1:4/TA0lw0lA/iVKBL9f8R5eP7397bfc4antAMXF5JRhs=
github.com/tink-crypto/tink-go/v2 v2.3.0/go.mod h1:kfPOtXIadHlekBTeBtJrHWqoGL+Fm3JQg0wtltPuxLU=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
@@ -1897,17 +1908,18 @@ github.com/tklauser/go-sysconf v0.3.13/go.mod h1:zwleP4Q4OehZHGn4CYZDipCgg9usW5I
github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr4=
github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY=
github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d h1:3H+wrTJTy3PVEeCyrjiCWjrh7pVEodGgJgA8Q1tpcbg=
github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d/go.mod h1:/jU0OcDkhtRrbaJPiG/p3X7XOP1pkFWLvUbsnQKP6hY=
github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 h1:7I5c2Ig/5FgqkYOh/N87NzoyI9U15qUPXhDD8uCupv8=
github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=
github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
github.com/twitchtv/twirp v8.1.3+incompatible h1:+F4TdErPgSUbMZMwp13Q/KgDVuI7HJXP61mNV3/7iuU=
github.com/twitchtv/twirp v8.1.3+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A=
github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=
github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=
@@ -1967,8 +1979,8 @@ github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
go.etcd.io/bbolt v1.4.0/go.mod h1:AsD+OCi/qPN1giOX1aiLAha3o1U8rAz65bvN4j0sRuk=
go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -1996,6 +2008,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0u
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0=
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc=
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I=
go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
@@ -2009,8 +2023,8 @@ go.opentelemetry.io/proto/otlp v0.15.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI
go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U=
go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
go.step.sm/crypto v0.56.0 h1:KcFfV76cI9Xaw8bdSc9x55skyuSdcHcTdL37vvVZnvY=
go.step.sm/crypto v0.56.0/go.mod h1:snWNloxY9s1W+HsFqcviq55nvzbqqX6LxVt0Vktv5mw=
go.step.sm/crypto v0.57.0 h1:YjoRQDaJYAxHLVwjst0Bl0xcnoKzVwuHCJtEo2VSHYU=
go.step.sm/crypto v0.57.0/go.mod h1:+Lwp5gOVPaTa3H/Ul/TzGbxQPXZZcKIUGMS0lG6n9Go=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
@@ -2035,8 +2049,9 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -2100,8 +2115,8 @@ golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -2170,8 +2185,9 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -2201,8 +2217,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec
golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -2222,8 +2238,9 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2245,7 +2262,6 @@ golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -2326,8 +2342,9 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
@@ -2344,8 +2361,9 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2365,16 +2383,17 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -2521,8 +2540,8 @@ google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/
google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI=
google.golang.org/api v0.111.0/go.mod h1:qtFHvU9mhgTJegR31csQ+rwxyUTHOKFqCKWp1J0fdw0=
google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
google.golang.org/api v0.216.0 h1:xnEHy+xWFrtYInWPy8OdGFsyIfWJjtVnO39g7pz2BFY=
google.golang.org/api v0.216.0/go.mod h1:K9wzQMvWi47Z9IU7OgdOofvZuw75Ge3PPITImZR/UyI=
google.golang.org/api v0.218.0 h1:x6JCjEWeZ9PFCRe9z0FBrNwj7pB7DOAqT35N+IPnAUA=
google.golang.org/api v0.218.0/go.mod h1:5VGHBAkxrA/8EFjLVEYmMUJ8/8+gWWQ3s4cFH0FxG2M=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -2730,12 +2749,14 @@ google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
@@ -2755,6 +2776,7 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkep
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
gopkg.in/yaml.v2 v2.0.0-20160928153709-a5b47d31c556/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -2768,8 +2790,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
helm.sh/helm/v3 v3.17.0 h1:DUD4AGdNVn7PSTYfxe1gmQG7s18QeWv/4jI9TubnhT0=
helm.sh/helm/v3 v3.17.0/go.mod h1:Mo7eGyKPPHlS0Ml67W8z/lbkox/gD9Xt1XpD6bxvZZA=
helm.sh/helm/v3 v3.17.2 h1:agYQ5ew2jq5vdx2K7q5W44KyKQrnSubUMCQsjkiv3/o=
helm.sh/helm/v3 v3.17.2/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -2778,26 +2800,26 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
k8s.io/apiextensions-apiserver v0.32.0 h1:S0Xlqt51qzzqjKPxfgX1xh4HBZE+p8KKBq+k2SWNOE0=
k8s.io/apiextensions-apiserver v0.32.0/go.mod h1:86hblMvN5yxMvZrZFX2OhIHAuFIMJIZ19bTvzkP+Fmw=
k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/apiserver v0.32.0 h1:VJ89ZvQZ8p1sLeiWdRJpRD6oLozNZD2+qVSLi+ft5Qs=
k8s.io/apiserver v0.32.0/go.mod h1:HFh+dM1/BE/Hm4bS4nTXHVfN6Z6tFIZPi649n83b4Ag=
k8s.io/cli-runtime v0.32.1 h1:19nwZPlYGJPUDbhAxDIS2/oydCikvKMHsxroKNGA2mM=
k8s.io/cli-runtime v0.32.1/go.mod h1:NJPbeadVFnV2E7B7vF+FvU09mpwYlZCu8PqjzfuOnkY=
k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk=
k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w=
k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw=
k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM=
k8s.io/cli-runtime v0.32.3 h1:khLF2ivU2T6Q77H97atx3REY9tXiA3OLOjWJxUrdvss=
k8s.io/cli-runtime v0.32.3/go.mod h1:vZT6dZq7mZAca53rwUfdFSZjdtLyfF61mkf/8q+Xjak=
k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
k8s.io/component-base v0.32.3 h1:98WJvvMs3QZ2LYHBzvltFSeJjEx7t5+8s71P7M74u8k=
k8s.io/component-base v0.32.3/go.mod h1:LWi9cR+yPAv7cu2X9rZanTiFKB2kHA+JjmhkKjCZRpI=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
k8s.io/kubectl v0.32.1 h1:/btLtXLQUU1rWx8AEvX9jrb9LaI6yeezt3sFALhB8M8=
k8s.io/kubectl v0.32.1/go.mod h1:sezNuyWi1STk4ZNPVRIFfgjqMI6XMf+oCVLjZen/pFQ=
k8s.io/kubectl v0.32.3 h1:VMi584rbboso+yjfv0d8uBHwwxbC438LKq+dXd5tOAI=
k8s.io/kubectl v0.32.3/go.mod h1:6Euv2aso5GKzo/UVMacV6C7miuyevpfI91SvBvV9Zdg=
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
@@ -2805,21 +2827,21 @@ lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl
modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
modernc.org/cc/v3 v3.36.2/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
modernc.org/cc/v3 v3.36.3/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ=
modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ=
modernc.org/cc/v4 v4.24.4 h1:TFkx1s6dCkQpd6dKurBNmpo+G8Zl4Sq/ztJ+2+DEsh0=
modernc.org/cc/v4 v4.24.4/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
modernc.org/ccgo/v3 v3.0.0-20220428102840-41399a37e894/go.mod h1:eI31LL8EwEBKPpNpA4bU1/i+sKOwOrQy8D87zWUcRZc=
modernc.org/ccgo/v3 v3.0.0-20220430103911-bc99d88307be/go.mod h1:bwdAnOoaIt8Ax9YdWGjxWsdkPcZyRPHqrOvJxaKAKGw=
modernc.org/ccgo/v3 v3.16.4/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
modernc.org/ccgo/v3 v3.16.6/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
modernc.org/ccgo/v3 v3.16.8/go.mod h1:zNjwkizS+fIFDrDjIAgBSCLkWbJuHF+ar3QRn+Z9aws=
modernc.org/ccgo/v3 v3.16.9/go.mod h1:zNMzC9A9xeNUepy6KuZBbugn3c0Mc9TeiJO4lgvkJDo=
modernc.org/ccgo/v4 v4.19.2 h1:lwQZgvboKD0jBwdaeVCTouxhxAyN6iawF3STraAal8Y=
modernc.org/ccgo/v4 v4.19.2/go.mod h1:ysS3mxiMV38XGRTTcgo0DQTeTmAO4oCmJl1nX9VFI3s=
modernc.org/ccgo/v4 v4.23.16 h1:Z2N+kk38b7SfySC1ZkpGLN2vthNJP1+ZzGZIlH7uBxo=
modernc.org/ccgo/v4 v4.23.16/go.mod h1:nNma8goMTY7aQZQNTyN9AIoJfxav4nvTnvKThAeMDdo=
modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw=
modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
modernc.org/gc/v2 v2.6.3 h1:aJVhcqAte49LF+mGveZ5KPlsp4tdGdAOT4sipJXADjw=
modernc.org/gc/v2 v2.6.3/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
modernc.org/libc v0.0.0-20220428101251-2d5f3daf273b/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
modernc.org/libc v1.16.0/go.mod h1:N4LD6DBE9cf+Dzf9buBlzVJndKr/iJHG97vGLHYnb5A=
@@ -2828,37 +2850,38 @@ modernc.org/libc v1.16.17/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU=
modernc.org/libc v1.16.19/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
modernc.org/libc v1.17.0/go.mod h1:XsgLldpP4aWlPlsjqKRdHPqCxCjISdHfM/yeWC5GyW0=
modernc.org/libc v1.17.1/go.mod h1:FZ23b+8LjxZs7XtFMbSzL/EhPxNbfZbErxEHc7cbD9s=
modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U=
modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w=
modernc.org/libc v1.61.13 h1:3LRd6ZO1ezsFiX1y+bHd1ipyEHIJKvuprv0sLTBwLW8=
modernc.org/libc v1.61.13/go.mod h1:8F/uJWL/3nNil0Lgt1Dpz+GgkApWh04N3el3hxJcA6E=
modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
modernc.org/memory v1.1.1/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
modernc.org/memory v1.2.0/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
modernc.org/memory v1.2.1/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=
modernc.org/memory v1.8.0/go.mod h1:XPZ936zp5OMKGWPqbD3JShgd/ZoQ7899TUuQqxY+peU=
modernc.org/memory v1.8.2 h1:cL9L4bcoAObu4NkxOlKWBWtNHIsnnACGF/TbqQ6sbcI=
modernc.org/memory v1.8.2/go.mod h1:ZbjSvMO5NQ1A2i3bWeDiVMxIorXwdClKE/0SZ+BMotU=
modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
modernc.org/sqlite v1.18.1/go.mod h1:6ho+Gow7oX5V+OiOQ6Tr4xeqbx13UZ6t+Fw9IRUG4d4=
modernc.org/sqlite v1.34.5 h1:Bb6SR13/fjp15jt70CL4f18JIN7p7dnMExd+UFnF15g=
modernc.org/sqlite v1.34.5/go.mod h1:YLuNmX9NKs8wRNK2ko1LW1NGYcc9FkBO69JOt1AR9JE=
modernc.org/sqlite v1.36.1 h1:bDa8BJUH4lg6EGkLbahKe/8QqoF8p9gArSc6fTqYhyQ=
modernc.org/sqlite v1.36.1/go.mod h1:7MPwH7Z6bREicF9ZVUR78P1IKuxfZ8mRIDHD0iD+8TU=
modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw=
modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw=
modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
mvdan.cc/sh/v3 v3.10.0 h1:v9z7N1DLZ7owyLM/SXZQkBSXcwr2IGMm2LY2pmhVXj4=
mvdan.cc/sh/v3 v3.10.0/go.mod h1:z/mSSVyLFGZzqb3ZIKojjyqIx/xbmz/UHdCSv9HmqXY=
mvdan.cc/sh/v3 v3.11.0 h1:q5h+XMDRfUGUedCqFFsjoFjrhwf2Mvtt1rkMvVz0blw=
mvdan.cc/sh/v3 v3.11.0/go.mod h1:LRM+1NjoYCzuq/WZ6y44x14YNAI0NK7FLPeQSaFagGg=
oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
@@ -2867,6 +2890,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
sigs.k8s.io/kind v0.19.0 h1:ZSUh6/kpab6fiowT6EqL4k8xSbedI2NWxyuUOtoPFe4=
sigs.k8s.io/kind v0.19.0/go.mod h1:aBlbxg08cauDgZ612shr017/rZwqd7AS563FvpWKPVs=
sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo=
sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U=
sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E=
@@ -2875,11 +2900,8 @@ sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw=
sigs.k8s.io/release-utils v0.8.4/go.mod h1:m1bHfscTemQp+z+pLCZnkXih9n0+WukIUU70n6nFnU0=
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
tags.cncf.io/container-device-interface v0.8.0 h1:8bCFo/g9WODjWx3m6EYl3GfUG31eKJbaggyBDxEldRc=
tags.cncf.io/container-device-interface v0.8.0/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
tags.cncf.io/container-device-interface/specs-go v0.8.0 h1:QYGFzGxvYK/ZLMrjhvY0RjpUavIn4KcmRmVP/JjdBTA=
tags.cncf.io/container-device-interface/specs-go v0.8.0/go.mod h1:BhJIkjjPh4qpys+qm4DAYtUyryaTDg9zris+AczXyws=

8
goreleaser.yml
View File

@@ -165,7 +165,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--platform=linux/amd64"
extra_files:
- contrib/
@@ -190,7 +190,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--platform=linux/arm64"
extra_files:
- contrib/
@@ -215,7 +215,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--platform=linux/s390x"
extra_files:
- contrib/
@@ -240,7 +240,7 @@ dockers:
- "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
- "--label=org.opencontainers.image.revision={{ .FullCommit }}"
- "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
- "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
- "--label=org.opencontainers.image.documentation=https://trivy.dev/v{{ .Version }}/"
- "--platform=linux/ppc64le"
extra_files:
- contrib/

4
helm/trivy/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v2
name: trivy
version: 0.10.1
appVersion: 0.58.1
version: 0.12.0
appVersion: 0.60.0
description: Trivy helm chart
keywords:
- scanner

10
helm/trivy/README.md
View File

@@ -63,9 +63,9 @@ The following table lists the configurable parameters of the Trivy chart and the
| `image.pullSecret` | The name of an imagePullSecret used to pull trivy image from e.g. Docker Hub or a private registry | |
| `replicaCount` | Number of Trivy Pods to run | `1` |
| `trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ | |
| `trivy.gitHubToken` | The GitHub access token to download Trivy DB. More info: https://trivy.dev/latest/docs/references/troubleshooting/#github-rate-limiting | |
| `trivy.registryUsername` | The username used to log in at dockerhub. More info: https://trivy.dev/latest/docs/advanced/private-registries/docker-hub/ | |
| `trivy.registryPassword` | The password used to log in at dockerhub. More info: https://trivy.dev/latest/docs/advanced/private-registries/docker-hub/ | |
| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set. | |
| `trivy.serviceAccount.annotations` | Additional annotations to add to the Kubernetes service account resource | |
| `trivy.skipDBUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` |
@@ -90,7 +90,7 @@ The following table lists the configurable parameters of the Trivy chart and the
| `tolerations` | Tolerations for pod assignment | |
| `podAnnotations` | Annotations for pods created by statefulset | `{}` |
The above parameters map to the env variables defined in [trivy](https://github.com/aquasecurity/trivy#configuration).
The above parameters map to the env variables defined in [trivy](https://trivy.dev/latest/docs/configuration/#configuration).
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
@@ -108,4 +108,4 @@ This chart uses a PersistentVolumeClaim to reduce the number of database downloa
## Caching
You can specify a Redis server as cache backend. This Redis server has to be already present. You can use the [bitnami chart](https://bitnami.com/stack/redis/helm).
More Information about the caching backends can be found [here](https://github.com/aquasecurity/trivy#specify-cache-backend).
More Information about the caching backends can be found [here](https://trivy.dev/latest/docs/configuration/cache/#scan-cache-backend).

2
helm/trivy/values.yaml
View File

@@ -77,7 +77,7 @@ trivy:
gitHubToken: ""
# Docker registry credentials
# See also: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/
# See also: https://trivy.dev/dev/advanced/private-registries/docker-hub/
#
# Either
# Directly in this file

50
integration/client_server_test.go
View File

@@ -22,21 +22,22 @@ import (
)
type csArgs struct {
Command string
RemoteAddrOption string
Format types.Format
TemplatePath string
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Input string
ClientToken string
ClientTokenHeader string
PathPrefix string
ListAllPackages bool
Target string
secretConfig string
Distro string
Command string
RemoteAddrOption string
Format types.Format
TemplatePath string
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Input string
ClientToken string
ClientTokenHeader string
PathPrefix string
ListAllPackages bool
Target string
secretConfig string
Distro string
VulnSeveritySources []string
}
func TestClientServer(t *testing.T) {
@@ -280,6 +281,19 @@ func TestClientServer(t *testing.T) {
},
golden: "testdata/npm.json.golden",
},
{
name: "scan package-lock.json with severity from `ubuntu` in client/server mode",
args: csArgs{
Command: "repo",
RemoteAddrOption: "--server",
Target: "testdata/fixtures/repo/npm/",
VulnSeveritySources: []string{
"alpine",
"ubuntu",
},
},
golden: "testdata/npm-ubuntu-severity.json.golden",
},
{
name: "scan sample.pem with repo command in client/server mode",
args: csArgs{
@@ -677,6 +691,12 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string) []string
)
}
if len(c.VulnSeveritySources) != 0 {
osArgs = append(osArgs,
"--vuln-severity-source", strings.Join(c.VulnSeveritySources, ","),
)
}
if len(c.IgnoreIDs) != 0 {
trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)

2
integration/module_test.go
View File

@@ -8,7 +8,7 @@ import (
"testing"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/scanner/post"
"github.com/aquasecurity/trivy/pkg/scan/post"
)
func TestModule(t *testing.T) {

59
integration/repo_test.go
View File

@@ -10,7 +10,7 @@ import (
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/fanal/artifact"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -18,23 +18,24 @@ import (
func TestRepository(t *testing.T) {
t.Setenv("NUGET_PACKAGES", t.TempDir())
type args struct {
scanner types.Scanner
ignoreIDs []string
policyPaths []string
namespaces []string
listAllPkgs bool
input string
secretConfig string
filePatterns []string
helmSet []string
helmValuesFile []string
skipFiles []string
skipDirs []string
command string
format types.Format
includeDevDeps bool
parallel int
vex string
scanner types.Scanner
ignoreIDs []string
policyPaths []string
namespaces []string
listAllPkgs bool
input string
secretConfig string
filePatterns []string
helmSet []string
helmValuesFile []string
skipFiles []string
skipDirs []string
command string
format types.Format
includeDevDeps bool
parallel int
vex string
vulnSeveritySources []string
}
tests := []struct {
name string
@@ -104,6 +105,18 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/npm.json.golden",
},
{
name: "npm with severity from ubuntu",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/repo/npm",
vulnSeveritySources: []string{
"alpine",
"ubuntu",
},
},
golden: "testdata/npm-ubuntu-severity.json.golden",
},
{
name: "npm with dev deps",
args: args{
@@ -418,7 +431,7 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/gomod-skip.json.golden",
override: func(_ *testing.T, want, _ *types.Report) {
want.ArtifactType = artifact.TypeFilesystem
want.ArtifactType = ftypes.TypeFilesystem
},
},
{
@@ -432,7 +445,7 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/dockerfile-custom-policies.json.golden",
override: func(_ *testing.T, want, got *types.Report) {
want.ArtifactType = artifact.TypeFilesystem
want.ArtifactType = ftypes.TypeFilesystem
},
},
{
@@ -538,6 +551,12 @@ func TestRepository(t *testing.T) {
}
}
if len(tt.args.vulnSeveritySources) != 0 {
osArgs = append(osArgs,
"--vuln-severity-source", strings.Join(tt.args.vulnSeveritySources, ","),
)
}
if tt.args.listAllPkgs {
osArgs = append(osArgs, "--list-all-pkgs")
}

10
integration/sbom_test.go
View File

@@ -10,7 +10,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/fanal/artifact"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -38,7 +38,7 @@ func TestSBOM(t *testing.T) {
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.json"
want.ArtifactType = artifact.TypeCycloneDX
want.ArtifactType = ftypes.TypeCycloneDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)"
@@ -87,7 +87,7 @@ func TestSBOM(t *testing.T) {
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl"
want.ArtifactType = artifact.TypeCycloneDX
want.ArtifactType = ftypes.TypeCycloneDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)"
@@ -108,7 +108,7 @@ func TestSBOM(t *testing.T) {
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.txt"
want.ArtifactType = artifact.TypeSPDX
want.ArtifactType = ftypes.TypeSPDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)"
@@ -124,7 +124,7 @@ func TestSBOM(t *testing.T) {
golden: "testdata/centos-7.json.golden",
override: func(t *testing.T, want, got *types.Report) {
want.ArtifactName = "testdata/fixtures/sbom/centos-7-spdx.json"
want.ArtifactType = artifact.TypeSPDX
want.ArtifactType = ftypes.TypeSPDX
require.Len(t, got.Results, 1)
want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)"

2
integration/testdata/conda-spdx.json.golden vendored
View File

@@ -3,7 +3,7 @@
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "testdata/fixtures/repo/conda",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
"documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
"creationInfo": {
"creators": [
"Organization: aquasecurity",

2
integration/testdata/fixtures/sbom/centos-7-spdx.json vendored
View File

@@ -8,7 +8,7 @@
]
},
"dataLicense": "CC0-1.0",
"documentNamespace": "http://aquasecurity.github.io/trivy/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-2906855d-5098-4a22-9a72-4f7099ea3d66",
"documentNamespace": "http://trivy.dev/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-2906855d-5098-4a22-9a72-4f7099ea3d66",
"name": "integration/testdata/fixtures/images/centos-7.tar.gz",
"packages": [
{

2
integration/testdata/fixtures/sbom/centos-7-spdx.txt vendored
View File

@@ -2,7 +2,7 @@ SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: integration/testdata/fixtures/images/centos-7.tar.gz
DocumentNamespace: http://aquasecurity.github.io/trivy/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-6a2c050f-bc12-46dc-b2df-1f4e3e0b5e1d
DocumentNamespace: http://trivy.dev/container_image/integration/testdata/fixtures/images/centos-7.tar.gz-6a2c050f-bc12-46dc-b2df-1f4e3e0b5e1d
Creator: Organization: aquasecurity
Creator: Tool: trivy-dev
Created: 2022-09-13T13:24:58.796907Z

644
integration/testdata/helm.json.golden vendored
View File

@@ -21,8 +21,8 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 79,
"Failures": 15
"Successes": 78,
"Failures": 22
},
"Misconfigurations": [
{
@@ -91,7 +91,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -160,7 +161,78 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV004",
"AVDID": "AVD-KSV-0004",
"Title": "Default capabilities: some containers do not drop any",
"Description": "Security best practices require containers to run with minimal required capabilities.",
"Message": "Container 'nginx' of 'deployment' 'nginx-deployment' in 'default' namespace should set securityContext.capabilities.drop",
"Namespace": "builtin.kubernetes.KSV004",
"Query": "data.builtin.kubernetes.KSV004.deny",
"Resolution": "Specify at least one unneeded capability in 'containers[].securityContext.capabilities.drop'",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv004",
"References": [
"https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/",
"https://avd.aquasec.com/misconfig/ksv004"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
@@ -229,7 +301,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -298,7 +371,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -367,7 +441,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -436,7 +511,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -505,7 +581,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -574,7 +651,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -643,7 +721,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -712,7 +791,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -781,7 +861,473 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV032",
"AVDID": "AVD-KSV-0032",
"Title": "All container images must start with the *.azurecr.io domain",
"Description": "Containers should only use images from trusted registries.",
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
"Namespace": "builtin.kubernetes.KSV032",
"Query": "data.builtin.kubernetes.KSV032.deny",
"Resolution": "Use images from trusted Azure registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
"References": [
"https://avd.aquasec.com/misconfig/ksv032"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV033",
"AVDID": "AVD-KSV-0033",
"Title": "All container images must start with a GCR domain",
"Description": "Containers should only use images from trusted GCR registries.",
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
"Namespace": "builtin.kubernetes.KSV033",
"Query": "data.builtin.kubernetes.KSV033.deny",
"Resolution": "Use images from trusted GCR registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
"References": [
"https://avd.aquasec.com/misconfig/ksv033"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV035",
"AVDID": "AVD-KSV-0035",
"Title": "All container images must start with an ECR domain",
"Description": "Container images from non-ECR registries should be forbidden.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
"Namespace": "builtin.kubernetes.KSV035",
"Query": "data.builtin.kubernetes.KSV035.deny",
"Resolution": "Container image should be used from Amazon container Registry",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
"References": [
"https://avd.aquasec.com/misconfig/ksv035"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV039",
"AVDID": "AVD-KSV-0039",
"Title": "limit range usage",
"Description": "ensure limit range policy has configure in order to limit resource usage for namespaces or nodes",
"Message": "limit range policy with a default request and limit, min and max request, for each container should be configure",
"Namespace": "builtin.kubernetes.KSV039",
"Query": "data.builtin.kubernetes.KSV039.deny",
"Resolution": "create limit range policy with a default request and limit, min and max request, for each container.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv039",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/",
"https://avd.aquasec.com/misconfig/ksv039"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 9,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 9,
"Content": " replicas: 3",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
"FirstCause": true,
"LastCause": false
},
{
"Number": 10,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " matchLabels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 12,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " template:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": " metadata:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " spec:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
"FirstCause": false,
"LastCause": true
},
{
"Number": 18,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV040",
"AVDID": "AVD-KSV-0040",
"Title": "resource quota usage",
"Description": "ensure resource quota policy has configure in order to limit aggregate resource usage within namespace",
"Message": "resource quota policy with hard memory and cpu quota per namespace should be configure",
"Namespace": "builtin.kubernetes.KSV040",
"Query": "data.builtin.kubernetes.KSV040.deny",
"Resolution": "create resource quota policy with mem and cpu quota per each namespace",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv040",
"References": [
"https://kubernetes.io/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/",
"https://avd.aquasec.com/misconfig/ksv040"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 9,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 9,
"Content": " replicas: 3",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreplicas\u001b[0m: \u001b[38;5;37m3",
"FirstCause": true,
"LastCause": false
},
{
"Number": 10,
"Content": " selector:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mselector\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 11,
"Content": " matchLabels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmatchLabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 12,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 13,
"Content": " template:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mtemplate\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 14,
"Content": " metadata:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mmetadata\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 15,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 16,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 17,
"Content": " spec:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mspec\u001b[0m:",
"FirstCause": false,
"LastCause": true
},
{
"Number": 18,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
@@ -850,7 +1396,8 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
@@ -919,7 +1466,68 @@
"LastCause": true
}
]
}
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV110",
"AVDID": "AVD-KSV-0110",
"Title": "Workloads in the default namespace",
"Description": "Checks whether a workload is running in the default namespace.",
"Message": "deployment nginx-deployment in default namespace should set metadata.namespace to a non-default namespace",
"Namespace": "builtin.kubernetes.KSV110",
"Query": "data.builtin.kubernetes.KSV110.deny",
"Resolution": "Set 'metadata.namespace' to a non-default namespace.",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv110",
"References": [
"https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/",
"https://avd.aquasec.com/misconfig/ksv110"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 5,
"EndLine": 7,
"Code": {
"Lines": [
{
"Number": 5,
"Content": " name: nginx-deployment",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mname\u001b[0m: nginx-deployment",
"FirstCause": true,
"LastCause": false
},
{
"Number": 6,
"Content": " labels:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mlabels\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 7,
"Content": " app: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mapp\u001b[0m: nginx",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
@@ -946,7 +1554,8 @@
"Service": "general",
"Code": {
"Lines": null
}
},
"RenderedCause": {}
}
},
{
@@ -972,7 +1581,8 @@
"Service": "general",
"Code": {
"Lines": null
}
},
"RenderedCause": {}
}
}
]

1004
integration/testdata/helm_testchart.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1010
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

2
integration/testdata/julia-spdx.json.golden vendored
View File

@@ -3,7 +3,7 @@
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "testdata/fixtures/repo/julia",
"documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/julia-3ff14136-e09f-4df9-80ea-000000000006",
"documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/julia-3ff14136-e09f-4df9-80ea-000000000006",
"creationInfo": {
"creators": [
"Organization: aquasecurity",

15
integration/testdata/license-cyclonedx.json.golden vendored
View File

@@ -16,14 +16,6 @@
}
},
"Results": [
{
"Target": "OS Packages",
"Class": "license"
},
{
"Target": "pom.xml",
"Class": "license"
},
{
"Target": "Java",
"Class": "license",
@@ -34,6 +26,7 @@
"PkgName": "org.eclipse.sisu:org.eclipse.sisu.plexus",
"FilePath": "",
"Name": "EPL-1.0",
"Text": "",
"Confidence": 1,
"Link": ""
},
@@ -43,6 +36,7 @@
"PkgName": "org.ow2.asm:asm",
"FilePath": "",
"Name": "BSD-3-Clause",
"Text": "",
"Confidence": 1,
"Link": ""
},
@@ -52,14 +46,11 @@
"PkgName": "org.slf4j:slf4j-api",
"FilePath": "",
"Name": "MIT License",
"Text": "",
"Confidence": 1,
"Link": ""
}
]
},
{
"Target": "Loose File License(s)",
"Class": "license-file"
}
]
}

160
integration/testdata/npm-ubuntu-severity.json.golden vendored Normal file
View File

@@ -0,0 +1,160 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/npm",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "package-lock.json",
"Class": "lang-pkgs",
"Type": "npm",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-11358",
"PkgID": "jquery@3.3.9",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9",
"UID": "e19e84d31f72b60c"
},
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
"Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
"Severity": "LOW",
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 2,
"ghsa": 2,
"nodejs-security-wg": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html",
"http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
"http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html",
"http://seclists.org/fulldisclosure/2019/May/10",
"http://seclists.org/fulldisclosure/2019/May/11",
"http://seclists.org/fulldisclosure/2019/May/13",
"http://www.openwall.com/lists/oss-security/2019/06/03/2",
"http://www.securityfocus.com/bid/108023",
"https://access.redhat.com/errata/RHBA-2019:1570",
"https://access.redhat.com/errata/RHSA-2019:1456",
"https://access.redhat.com/errata/RHSA-2019:2587",
"https://access.redhat.com/errata/RHSA-2019:3023",
"https://access.redhat.com/errata/RHSA-2019:3024",
"https://access.redhat.com/security/cve/CVE-2019-11358",
"https://backdropcms.org/security/backdrop-sa-core-2019-009",
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
"https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
"https://github.com/advisories/GHSA-6c3j-c64m-qhgq",
"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
"https://github.com/jquery/jquery/pull/4333",
"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
"https://hackerone.com/reports/454365",
"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"https://linux.oracle.com/cve/CVE-2019-11358.html",
"https://linux.oracle.com/errata/ELSA-2020-4847.html",
"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E",
"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E",
"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E",
"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E",
"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E",
"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E",
"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E",
"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"https://seclists.org/bugtraq/2019/Apr/32",
"https://seclists.org/bugtraq/2019/Jun/12",
"https://seclists.org/bugtraq/2019/May/18",
"https://security.netapp.com/advisory/ntap-20190919-0001/",
"https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
"https://www.debian.org/security/2019/dsa-4434",
"https://www.debian.org/security/2019/dsa-4460",
"https://www.drupal.org/sa-core-2019-006",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html",
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/",
"https://www.synology.com/security/advisory/Synology_SA_19_19",
"https://www.tenable.com/security/tns-2019-08",
"https://www.tenable.com/security/tns-2020-02"
],
"PublishedDate": "2019-04-20T00:29:00Z",
"LastModifiedDate": "2021-10-20T11:15:00Z"
}
]
}
]
}

121
internal/cachetest/cache.go Normal file
View File

@@ -0,0 +1,121 @@
package cachetest
import (
"errors"
"testing"
"github.com/samber/lo"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/cache"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)
type WantArtifact struct {
ID string
ArtifactInfo types.ArtifactInfo
}
type WantBlob struct {
ID string
BlobInfo types.BlobInfo
}
type ErrorCache struct {
*cache.MemoryCache
opts ErrorCacheOptions
}
type ErrorCacheOptions struct {
MissingBlobs bool
PutArtifact bool
PutBlob bool
GetArtifact bool
GetBlob bool
}
func NewErrorCache(opts ErrorCacheOptions) *ErrorCache {
return &ErrorCache{
MemoryCache: cache.NewMemoryCache(),
opts: opts,
}
}
func (c *ErrorCache) MissingBlobs(artifactID string, blobIDs []string) (bool, []string, error) {
if c.opts.MissingBlobs {
return false, nil, errors.New("MissingBlobs failed")
}
return c.MemoryCache.MissingBlobs(artifactID, blobIDs)
}
func (c *ErrorCache) PutArtifact(artifactID string, artifactInfo types.ArtifactInfo) error {
if c.opts.PutArtifact {
return errors.New("PutArtifact failed")
}
return c.MemoryCache.PutArtifact(artifactID, artifactInfo)
}
func (c *ErrorCache) PutBlob(artifactID string, blobInfo types.BlobInfo) error {
if c.opts.PutBlob {
return errors.New("PutBlob failed")
}
return c.MemoryCache.PutBlob(artifactID, blobInfo)
}
func (c *ErrorCache) GetArtifact(artifactID string) (types.ArtifactInfo, error) {
if c.opts.GetArtifact {
return types.ArtifactInfo{}, errors.New("GetArtifact failed")
}
return c.MemoryCache.GetArtifact(artifactID)
}
func (c *ErrorCache) GetBlob(blobID string) (types.BlobInfo, error) {
if c.opts.GetBlob {
return types.BlobInfo{}, errors.New("GetBlob failed")
}
return c.MemoryCache.GetBlob(blobID)
}
func NewCache(t *testing.T, setUpCache func(t *testing.T) cache.Cache) cache.Cache {
if setUpCache != nil {
return setUpCache(t)
}
return cache.NewMemoryCache()
}
func AssertArtifact(t *testing.T, c cache.Cache, wantArtifact WantArtifact) {
gotArtifact, err := c.GetArtifact(wantArtifact.ID)
require.NoError(t, err, "artifact not found")
assert.Equal(t, wantArtifact.ArtifactInfo, gotArtifact, wantArtifact.ID)
}
func AssertBlobs(t *testing.T, c cache.Cache, wantBlobs []WantBlob) {
if m, ok := c.(*cache.MemoryCache); ok {
blobIDs := m.BlobIDs()
wantBlobIDs := lo.Map(wantBlobs, func(want WantBlob, _ int) string {
return want.ID
})
require.ElementsMatch(t, wantBlobIDs, blobIDs, "blob IDs mismatch")
}
for _, want := range wantBlobs {
got, err := c.GetBlob(want.ID)
require.NoError(t, err, "blob not found")
for i := range got.Misconfigurations {
// suppress misconfiguration code block
for j := range got.Misconfigurations[i].Failures {
got.Misconfigurations[i].Failures[j].Code = types.Code{}
}
for j := range got.Misconfigurations[i].Successes {
got.Misconfigurations[i].Successes[j].Code = types.Code{}
}
for j := range got.Misconfigurations[i].Warnings {
got.Misconfigurations[i].Warnings[j].Code = types.Code{}
}
}
assert.Equal(t, want.BlobInfo, got, want.ID)
}
}

82
magefiles/magefile.go
View File

@@ -61,22 +61,6 @@ func buildLdflags() (string, error) {
type Tool mg.Namespace
// Aqua installs aqua if not installed
func (Tool) Aqua() error {
if exists(filepath.Join(GOBIN, "aqua")) {
return nil
}
return sh.Run("go", "install", "github.com/aquaproj/aqua/v2/cmd/aqua@v2.2.1")
}
// Wire installs wire if not installed
func (Tool) Wire() error {
if installed("wire") {
return nil
}
return sh.Run("go", "install", "github.com/google/wire/cmd/wire@v0.5.0")
}
// Sass installs saas if not installed. npm is assumed to be available
func (Tool) Sass() error {
if installed("sass") {
@@ -95,11 +79,13 @@ func (Tool) PipTools() error {
// GolangciLint installs golangci-lint
func (t Tool) GolangciLint() error {
const version = "v1.61.0"
const version = "v1.64.2"
bin := filepath.Join(GOBIN, "golangci-lint")
if exists(bin) && t.matchGolangciLintVersion(bin, version) {
return nil
}
// TODO: use `go install tool`
// cf. https://golangci-lint.run/welcome/install/#install-from-sources
command := fmt.Sprintf("curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b %s %s", GOBIN, version)
return sh.Run("bash", "-c", command)
}
@@ -126,52 +112,15 @@ func (Tool) matchGolangciLintVersion(bin, version string) bool {
return true
}
// Labeler installs labeler
func (Tool) Labeler() error {
if exists(filepath.Join(GOBIN, "labeler")) {
return nil
}
return sh.Run("go", "install", "github.com/knqyf263/labeler@latest")
}
// Kind installs kind cluster
func (Tool) Kind() error {
return sh.RunWithV(ENV, "go", "install", "sigs.k8s.io/kind@v0.19.0")
}
// Goyacc installs goyacc
func (Tool) Goyacc() error {
if exists(filepath.Join(GOBIN, "goyacc")) {
return nil
}
return sh.Run("go", "install", "golang.org/x/tools/cmd/goyacc@v0.7.0")
}
// Mockery installs mockery
func (Tool) Mockery() error {
if exists(filepath.Join(GOBIN, "mockery")) {
return nil
}
return sh.Run("go", "install", "github.com/knqyf263/mockery/cmd/mockery@latest")
func (Tool) Install() error {
log.Info("Installing tools, make sure you add $GOBIN to the $PATH")
return sh.Run("go", "install", "tool")
}
// Wire generates the wire_gen.go file for each package
func Wire() error {
mg.Deps(Tool{}.Wire)
return sh.RunV("wire", "gen", "./pkg/commands/...", "./pkg/rpc/...", "./pkg/k8s/...")
}
// Mock generates mocks
func Mock(dir string) error {
mg.Deps(Tool{}.Mockery)
mockeryArgs := []string{
"-all",
"-inpkg",
"-case=snake",
"-dir",
dir,
}
return sh.RunV("mockery", mockeryArgs...)
mg.Deps(Tool{}.Install) // Install wire
return sh.RunV("go", "tool", "wire", "gen", "./pkg/commands/...", "./pkg/rpc/...", "./pkg/k8s/...")
}
// Protoc parses PROTO_FILES and generates the Go code for client/server mode
@@ -216,7 +165,7 @@ func Protoc() error {
// Yacc generates parser
func Yacc() error {
mg.Deps(Tool{}.Goyacc)
mg.Deps(Tool{}.Install) // Install yacc
return sh.Run("go", "generate", "./pkg/licensing/expression/...")
}
@@ -275,11 +224,11 @@ func compileWasmModules(pattern string) error {
} else if !updated {
continue
}
// Check if TinyGo is installed
if !installed("tinygo") {
return errors.New("need to install TinyGo, follow https://tinygo.org/getting-started/install/")
envs := map[string]string{
"GOOS": "wasip1",
"GOARCH": "wasm",
}
if err = sh.Run("go", "generate", src); err != nil {
if err = sh.RunWith(envs, "go", "generate", src); err != nil {
return err
}
}
@@ -300,8 +249,7 @@ func (t Test) Integration() error {
// K8s runs k8s integration tests
func (t Test) K8s() error {
mg.Deps(Tool{}.Kind)
mg.Deps(Tool{}.Install) // Install kind
err := sh.RunWithV(ENV, "kind", "create", "cluster", "--name", "kind-test")
if err != nil {
return err
@@ -493,7 +441,7 @@ func Clean() error {
// Label updates labels
func Label() error {
mg.Deps(Tool{}.Labeler)
mg.Deps(Tool{}.Install) // Install labeler
return sh.RunV("labeler", "apply", "misc/triage/labels.yaml", "-l", "5")
}

6
mkdocs.yml
View File

@@ -1,5 +1,5 @@
site_name: Trivy
site_url: https://aquasecurity.github.io/trivy/
site_url: https://trivy.dev/
site_description: Trivy - All-in-one open source security scanner
docs_dir: docs/
repo_name: GitHub
@@ -133,6 +133,7 @@ nav:
- Overview: docs/supply-chain/vex/index.md
- VEX Repository: docs/supply-chain/vex/repo.md
- Local VEX Files: docs/supply-chain/vex/file.md
- VEX SBOM Reference: docs/supply-chain/vex/sbom-ref.md
- VEX Attestation: docs/supply-chain/vex/oci.md
- Compliance:
- Built-in Compliance: docs/compliance/compliance.md
@@ -201,6 +202,7 @@ nav:
- Client/Server: docs/references/modes/client-server.md
- Troubleshooting: docs/references/troubleshooting.md
- Terminology: docs/references/terminology.md
- Abbreviations: docs/references/abbreviations.md
- Ecosystem:
- Overview: ecosystem/index.md
- CI/CD: ecosystem/cicd.md
@@ -272,8 +274,6 @@ extra:
link: https://twitter.com/AquaTrivy
- icon: fontawesome/brands/github
link: https://github.com/aquasecurity/trivy
- icon: fontawesome/brands/slack
link: https://github.com/aquasecurity/trivy
analytics:
provider: google
property: G-V9LJGFH7GX

3
pkg/attestation/sbom/rekor_test.go
View File

@@ -1,7 +1,6 @@
package sbom_test
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
@@ -41,7 +40,7 @@ func TestRekor_RetrieveSBOM(t *testing.T) {
rc, err := sbom.NewRekor(ts.URL())
require.NoError(t, err)
got, err := rc.RetrieveSBOM(context.Background(), tt.digest)
got, err := rc.RetrieveSBOM(t.Context(), tt.digest)
if tt.wantErr != "" {
assert.ErrorContains(t, err, tt.wantErr)
return

14
pkg/cache/memory.go vendored
View File

@@ -96,3 +96,17 @@ func (c *MemoryCache) Clear() error {
c.blobs = sync.Map{}
return nil
}
// BlobIDs returns all the blob IDs in the memory cache for testing
func (c *MemoryCache) BlobIDs() []string {
var blobIDs []string
c.blobs.Range(func(key, value any) bool {
blobID, ok := key.(string)
if !ok {
return false
}
blobIDs = append(blobIDs, blobID)
return true
})
return blobIDs
}

244
pkg/cache/mock_artifact_cache.go vendored
View File

@@ -1,244 +0,0 @@
// Code generated by mockery v1.0.0. DO NOT EDIT.
package cache
import (
mock "github.com/stretchr/testify/mock"
types "github.com/aquasecurity/trivy/pkg/fanal/types"
)
// MockArtifactCache is an autogenerated mock type for the ArtifactCache type
type MockArtifactCache struct {
mock.Mock
}
type ArtifactCacheDeleteBlobsArgs struct {
BlobIDs []string
BlobIDsAnything bool
}
type ArtifactCacheDeleteBlobsReturns struct {
_a0 error
}
type ArtifactCacheDeleteBlobsExpectation struct {
Args ArtifactCacheDeleteBlobsArgs
Returns ArtifactCacheDeleteBlobsReturns
}
func (_m *MockArtifactCache) ApplyDeleteBlobsExpectation(e ArtifactCacheDeleteBlobsExpectation) {
var args []interface{}
if e.Args.BlobIDsAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobIDs)
}
_m.On("DeleteBlobs", args...).Return(e.Returns._a0)
}
func (_m *MockArtifactCache) ApplyDeleteBlobsExpectations(expectations []ArtifactCacheDeleteBlobsExpectation) {
for _, e := range expectations {
_m.ApplyDeleteBlobsExpectation(e)
}
}
// DeleteBlobs provides a mock function with given fields: blobIDs
func (_m *MockArtifactCache) DeleteBlobs(blobIDs []string) error {
ret := _m.Called(blobIDs)
var r0 error
if rf, ok := ret.Get(0).(func([]string) error); ok {
r0 = rf(blobIDs)
} else {
r0 = ret.Error(0)
}
return r0
}
type ArtifactCacheMissingBlobsArgs struct {
ArtifactID string
ArtifactIDAnything bool
BlobIDs []string
BlobIDsAnything bool
}
type ArtifactCacheMissingBlobsReturns struct {
MissingArtifact bool
MissingBlobIDs []string
Err error
}
type ArtifactCacheMissingBlobsExpectation struct {
Args ArtifactCacheMissingBlobsArgs
Returns ArtifactCacheMissingBlobsReturns
}
func (_m *MockArtifactCache) ApplyMissingBlobsExpectation(e ArtifactCacheMissingBlobsExpectation) {
var args []interface{}
if e.Args.ArtifactIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactID)
}
if e.Args.BlobIDsAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobIDs)
}
_m.On("MissingBlobs", args...).Return(e.Returns.MissingArtifact, e.Returns.MissingBlobIDs, e.Returns.Err)
}
func (_m *MockArtifactCache) ApplyMissingBlobsExpectations(expectations []ArtifactCacheMissingBlobsExpectation) {
for _, e := range expectations {
_m.ApplyMissingBlobsExpectation(e)
}
}
// MissingBlobs provides a mock function with given fields: artifactID, blobIDs
func (_m *MockArtifactCache) MissingBlobs(artifactID string, blobIDs []string) (bool, []string, error) {
ret := _m.Called(artifactID, blobIDs)
var r0 bool
if rf, ok := ret.Get(0).(func(string, []string) bool); ok {
r0 = rf(artifactID, blobIDs)
} else {
r0 = ret.Get(0).(bool)
}
var r1 []string
if rf, ok := ret.Get(1).(func(string, []string) []string); ok {
r1 = rf(artifactID, blobIDs)
} else {
if ret.Get(1) != nil {
r1 = ret.Get(1).([]string)
}
}
var r2 error
if rf, ok := ret.Get(2).(func(string, []string) error); ok {
r2 = rf(artifactID, blobIDs)
} else {
r2 = ret.Error(2)
}
return r0, r1, r2
}
type ArtifactCachePutArtifactArgs struct {
ArtifactID string
ArtifactIDAnything bool
ArtifactInfo types.ArtifactInfo
ArtifactInfoAnything bool
}
type ArtifactCachePutArtifactReturns struct {
Err error
}
type ArtifactCachePutArtifactExpectation struct {
Args ArtifactCachePutArtifactArgs
Returns ArtifactCachePutArtifactReturns
}
func (_m *MockArtifactCache) ApplyPutArtifactExpectation(e ArtifactCachePutArtifactExpectation) {
var args []interface{}
if e.Args.ArtifactIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactID)
}
if e.Args.ArtifactInfoAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactInfo)
}
_m.On("PutArtifact", args...).Return(e.Returns.Err)
}
func (_m *MockArtifactCache) ApplyPutArtifactExpectations(expectations []ArtifactCachePutArtifactExpectation) {
for _, e := range expectations {
_m.ApplyPutArtifactExpectation(e)
}
}
// PutArtifact provides a mock function with given fields: artifactID, artifactInfo
func (_m *MockArtifactCache) PutArtifact(artifactID string, artifactInfo types.ArtifactInfo) error {
ret := _m.Called(artifactID, artifactInfo)
var r0 error
if rf, ok := ret.Get(0).(func(string, types.ArtifactInfo) error); ok {
r0 = rf(artifactID, artifactInfo)
} else {
r0 = ret.Error(0)
}
return r0
}
type ArtifactCachePutBlobArgs struct {
BlobID string
BlobIDAnything bool
BlobInfo types.BlobInfo
BlobInfoAnything bool
}
type ArtifactCachePutBlobReturns struct {
Err error
}
type ArtifactCachePutBlobExpectation struct {
Args ArtifactCachePutBlobArgs
Returns ArtifactCachePutBlobReturns
}
func (_m *MockArtifactCache) ApplyPutBlobExpectation(e ArtifactCachePutBlobExpectation) *mock.Call {
var args []interface{}
if e.Args.BlobIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobID)
}
if e.Args.BlobInfoAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobInfo)
}
return _m.On("PutBlob", args...).Return(e.Returns.Err)
//return _m.On("PutBlob", mock.AnythingOfType("string"), mock.Anything).Return(e.Returns.Err)
}
func (_m *MockArtifactCache) ApplyPutBlobExpectations(expectations []ArtifactCachePutBlobExpectation) {
for _, e := range expectations {
_m.ApplyPutBlobExpectation(e)
}
}
// PutBlob provides a mock function with given fields: blobID, blobInfo
func (_m *MockArtifactCache) PutBlob(blobID string, blobInfo types.BlobInfo) error {
for i := range blobInfo.Misconfigurations {
// suppress misconfiguration code block
for j := range blobInfo.Misconfigurations[i].Failures {
blobInfo.Misconfigurations[i].Failures[j].Code = types.Code{}
}
for j := range blobInfo.Misconfigurations[i].Successes {
blobInfo.Misconfigurations[i].Successes[j].Code = types.Code{}
}
for j := range blobInfo.Misconfigurations[i].Warnings {
blobInfo.Misconfigurations[i].Warnings[j].Code = types.Code{}
}
}
ret := _m.Called(blobID, blobInfo)
var r0 error
if rf, ok := ret.Get(0).(func(string, types.BlobInfo) error); ok {
r0 = rf(blobID, blobInfo)
} else {
r0 = ret.Error(0)
}
return r0
}

399
pkg/cache/mock_cache.go vendored
View File

@@ -1,399 +0,0 @@
// Code generated by mockery v1.0.0. DO NOT EDIT.
package cache
import (
mock "github.com/stretchr/testify/mock"
types "github.com/aquasecurity/trivy/pkg/fanal/types"
)
// MockCache is an autogenerated mock type for the Cache type
type MockCache struct {
mock.Mock
}
type CacheClearReturns struct {
Err error
}
type CacheClearExpectation struct {
Returns CacheClearReturns
}
func (_m *MockCache) ApplyClearExpectation(e CacheClearExpectation) {
var args []interface{}
_m.On("Clear", args...).Return(e.Returns.Err)
}
func (_m *MockCache) ApplyClearExpectations(expectations []CacheClearExpectation) {
for _, e := range expectations {
_m.ApplyClearExpectation(e)
}
}
// Clear provides a mock function with given fields:
func (_m *MockCache) Clear() error {
ret := _m.Called()
var r0 error
if rf, ok := ret.Get(0).(func() error); ok {
r0 = rf()
} else {
r0 = ret.Error(0)
}
return r0
}
type CacheCloseReturns struct {
Err error
}
type CacheCloseExpectation struct {
Returns CacheCloseReturns
}
func (_m *MockCache) ApplyCloseExpectation(e CacheCloseExpectation) {
var args []interface{}
_m.On("Close", args...).Return(e.Returns.Err)
}
func (_m *MockCache) ApplyCloseExpectations(expectations []CacheCloseExpectation) {
for _, e := range expectations {
_m.ApplyCloseExpectation(e)
}
}
// Close provides a mock function with given fields:
func (_m *MockCache) Close() error {
ret := _m.Called()
var r0 error
if rf, ok := ret.Get(0).(func() error); ok {
r0 = rf()
} else {
r0 = ret.Error(0)
}
return r0
}
type CacheDeleteBlobArgs struct {
BlobID string
BlobIDAnything bool
}
type CacheDeleteBlobReturns struct {
_a0 error
}
type CacheDeleteBlobExpectation struct {
Args CacheDeleteBlobArgs
Returns CacheDeleteBlobReturns
}
func (_m *MockCache) ApplyDeleteBlobExpectation(e CacheDeleteBlobExpectation) {
var args []interface{}
if e.Args.BlobIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobID)
}
_m.On("DeleteBlob", args...).Return(e.Returns._a0)
}
func (_m *MockCache) ApplyDeleteBlobExpectations(expectations []CacheDeleteBlobExpectation) {
for _, e := range expectations {
_m.ApplyDeleteBlobExpectation(e)
}
}
// DeleteBlob provides a mock function with given fields: blobID
func (_m *MockCache) DeleteBlob(blobID string) error {
ret := _m.Called(blobID)
var r0 error
if rf, ok := ret.Get(0).(func(string) error); ok {
r0 = rf(blobID)
} else {
r0 = ret.Error(0)
}
return r0
}
type CacheGetArtifactArgs struct {
ArtifactID string
ArtifactIDAnything bool
}
type CacheGetArtifactReturns struct {
ArtifactInfo types.ArtifactInfo
Err error
}
type CacheGetArtifactExpectation struct {
Args CacheGetArtifactArgs
Returns CacheGetArtifactReturns
}
func (_m *MockCache) ApplyGetArtifactExpectation(e CacheGetArtifactExpectation) {
var args []interface{}
if e.Args.ArtifactIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactID)
}
_m.On("GetArtifact", args...).Return(e.Returns.ArtifactInfo, e.Returns.Err)
}
func (_m *MockCache) ApplyGetArtifactExpectations(expectations []CacheGetArtifactExpectation) {
for _, e := range expectations {
_m.ApplyGetArtifactExpectation(e)
}
}
// GetArtifact provides a mock function with given fields: artifactID
func (_m *MockCache) GetArtifact(artifactID string) (types.ArtifactInfo, error) {
ret := _m.Called(artifactID)
var r0 types.ArtifactInfo
if rf, ok := ret.Get(0).(func(string) types.ArtifactInfo); ok {
r0 = rf(artifactID)
} else {
r0 = ret.Get(0).(types.ArtifactInfo)
}
var r1 error
if rf, ok := ret.Get(1).(func(string) error); ok {
r1 = rf(artifactID)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
type CacheGetBlobArgs struct {
BlobID string
BlobIDAnything bool
}
type CacheGetBlobReturns struct {
BlobInfo types.BlobInfo
Err error
}
type CacheGetBlobExpectation struct {
Args CacheGetBlobArgs
Returns CacheGetBlobReturns
}
func (_m *MockCache) ApplyGetBlobExpectation(e CacheGetBlobExpectation) {
var args []interface{}
if e.Args.BlobIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobID)
}
_m.On("GetBlob", args...).Return(e.Returns.BlobInfo, e.Returns.Err)
}
func (_m *MockCache) ApplyGetBlobExpectations(expectations []CacheGetBlobExpectation) {
for _, e := range expectations {
_m.ApplyGetBlobExpectation(e)
}
}
// GetBlob provides a mock function with given fields: blobID
func (_m *MockCache) GetBlob(blobID string) (types.BlobInfo, error) {
ret := _m.Called(blobID)
var r0 types.BlobInfo
if rf, ok := ret.Get(0).(func(string) types.BlobInfo); ok {
r0 = rf(blobID)
} else {
r0 = ret.Get(0).(types.BlobInfo)
}
var r1 error
if rf, ok := ret.Get(1).(func(string) error); ok {
r1 = rf(blobID)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
type CacheMissingBlobsArgs struct {
ArtifactID string
ArtifactIDAnything bool
BlobIDs []string
BlobIDsAnything bool
}
type CacheMissingBlobsReturns struct {
MissingArtifact bool
MissingBlobIDs []string
Err error
}
type CacheMissingBlobsExpectation struct {
Args CacheMissingBlobsArgs
Returns CacheMissingBlobsReturns
}
func (_m *MockCache) ApplyMissingBlobsExpectation(e CacheMissingBlobsExpectation) {
var args []interface{}
if e.Args.ArtifactIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactID)
}
if e.Args.BlobIDsAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobIDs)
}
_m.On("MissingBlobs", args...).Return(e.Returns.MissingArtifact, e.Returns.MissingBlobIDs, e.Returns.Err)
}
func (_m *MockCache) ApplyMissingBlobsExpectations(expectations []CacheMissingBlobsExpectation) {
for _, e := range expectations {
_m.ApplyMissingBlobsExpectation(e)
}
}
// MissingBlobs provides a mock function with given fields: artifactID, blobIDs
func (_m *MockCache) MissingBlobs(artifactID string, blobIDs []string) (bool, []string, error) {
ret := _m.Called(artifactID, blobIDs)
var r0 bool
if rf, ok := ret.Get(0).(func(string, []string) bool); ok {
r0 = rf(artifactID, blobIDs)
} else {
r0 = ret.Get(0).(bool)
}
var r1 []string
if rf, ok := ret.Get(1).(func(string, []string) []string); ok {
r1 = rf(artifactID, blobIDs)
} else {
if ret.Get(1) != nil {
r1 = ret.Get(1).([]string)
}
}
var r2 error
if rf, ok := ret.Get(2).(func(string, []string) error); ok {
r2 = rf(artifactID, blobIDs)
} else {
r2 = ret.Error(2)
}
return r0, r1, r2
}
type CachePutArtifactArgs struct {
ArtifactID string
ArtifactIDAnything bool
ArtifactInfo types.ArtifactInfo
ArtifactInfoAnything bool
}
type CachePutArtifactReturns struct {
Err error
}
type CachePutArtifactExpectation struct {
Args CachePutArtifactArgs
Returns CachePutArtifactReturns
}
func (_m *MockCache) ApplyPutArtifactExpectation(e CachePutArtifactExpectation) {
var args []interface{}
if e.Args.ArtifactIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactID)
}
if e.Args.ArtifactInfoAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactInfo)
}
_m.On("PutArtifact", args...).Return(e.Returns.Err)
}
func (_m *MockCache) ApplyPutArtifactExpectations(expectations []CachePutArtifactExpectation) {
for _, e := range expectations {
_m.ApplyPutArtifactExpectation(e)
}
}
// PutArtifact provides a mock function with given fields: artifactID, artifactInfo
func (_m *MockCache) PutArtifact(artifactID string, artifactInfo types.ArtifactInfo) error {
ret := _m.Called(artifactID, artifactInfo)
var r0 error
if rf, ok := ret.Get(0).(func(string, types.ArtifactInfo) error); ok {
r0 = rf(artifactID, artifactInfo)
} else {
r0 = ret.Error(0)
}
return r0
}
type CachePutBlobArgs struct {
BlobID string
BlobIDAnything bool
BlobInfo types.BlobInfo
BlobInfoAnything bool
}
type CachePutBlobReturns struct {
Err error
}
type CachePutBlobExpectation struct {
Args CachePutBlobArgs
Returns CachePutBlobReturns
}
func (_m *MockCache) ApplyPutBlobExpectation(e CachePutBlobExpectation) {
var args []interface{}
if e.Args.BlobIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobID)
}
if e.Args.BlobInfoAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobInfo)
}
_m.On("PutBlob", args...).Return(e.Returns.Err)
}
func (_m *MockCache) ApplyPutBlobExpectations(expectations []CachePutBlobExpectation) {
for _, e := range expectations {
_m.ApplyPutBlobExpectation(e)
}
}
// PutBlob provides a mock function with given fields: blobID, blobInfo
func (_m *MockCache) PutBlob(blobID string, blobInfo types.BlobInfo) error {
ret := _m.Called(blobID, blobInfo)
var r0 error
if rf, ok := ret.Get(0).(func(string, types.BlobInfo) error); ok {
r0 = rf(blobID, blobInfo)
} else {
r0 = ret.Error(0)
}
return r0
}

184
pkg/cache/mock_local_artifact_cache.go vendored
View File

@@ -1,184 +0,0 @@
// Code generated by mockery v1.0.0. DO NOT EDIT.
package cache
import (
mock "github.com/stretchr/testify/mock"
types "github.com/aquasecurity/trivy/pkg/fanal/types"
)
// MockLocalArtifactCache is an autogenerated mock type for the LocalArtifactCache type
type MockLocalArtifactCache struct {
mock.Mock
}
type LocalArtifactCacheClearReturns struct {
Err error
}
type LocalArtifactCacheClearExpectation struct {
Returns LocalArtifactCacheClearReturns
}
func (_m *MockLocalArtifactCache) ApplyClearExpectation(e LocalArtifactCacheClearExpectation) {
var args []interface{}
_m.On("Clear", args...).Return(e.Returns.Err)
}
func (_m *MockLocalArtifactCache) ApplyClearExpectations(expectations []LocalArtifactCacheClearExpectation) {
for _, e := range expectations {
_m.ApplyClearExpectation(e)
}
}
// Clear provides a mock function with given fields:
func (_m *MockLocalArtifactCache) Clear() error {
ret := _m.Called()
var r0 error
if rf, ok := ret.Get(0).(func() error); ok {
r0 = rf()
} else {
r0 = ret.Error(0)
}
return r0
}
type LocalArtifactCacheCloseReturns struct {
Err error
}
type LocalArtifactCacheCloseExpectation struct {
Returns LocalArtifactCacheCloseReturns
}
func (_m *MockLocalArtifactCache) ApplyCloseExpectation(e LocalArtifactCacheCloseExpectation) {
var args []interface{}
_m.On("Close", args...).Return(e.Returns.Err)
}
func (_m *MockLocalArtifactCache) ApplyCloseExpectations(expectations []LocalArtifactCacheCloseExpectation) {
for _, e := range expectations {
_m.ApplyCloseExpectation(e)
}
}
// Close provides a mock function with given fields:
func (_m *MockLocalArtifactCache) Close() error {
ret := _m.Called()
var r0 error
if rf, ok := ret.Get(0).(func() error); ok {
r0 = rf()
} else {
r0 = ret.Error(0)
}
return r0
}
type LocalArtifactCacheGetArtifactArgs struct {
ArtifactID string
ArtifactIDAnything bool
}
type LocalArtifactCacheGetArtifactReturns struct {
ArtifactInfo types.ArtifactInfo
Err error
}
type LocalArtifactCacheGetArtifactExpectation struct {
Args LocalArtifactCacheGetArtifactArgs
Returns LocalArtifactCacheGetArtifactReturns
}
func (_m *MockLocalArtifactCache) ApplyGetArtifactExpectation(e LocalArtifactCacheGetArtifactExpectation) {
var args []interface{}
if e.Args.ArtifactIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ArtifactID)
}
_m.On("GetArtifact", args...).Return(e.Returns.ArtifactInfo, e.Returns.Err)
}
func (_m *MockLocalArtifactCache) ApplyGetArtifactExpectations(expectations []LocalArtifactCacheGetArtifactExpectation) {
for _, e := range expectations {
_m.ApplyGetArtifactExpectation(e)
}
}
// GetArtifact provides a mock function with given fields: artifactID
func (_m *MockLocalArtifactCache) GetArtifact(artifactID string) (types.ArtifactInfo, error) {
ret := _m.Called(artifactID)
var r0 types.ArtifactInfo
if rf, ok := ret.Get(0).(func(string) types.ArtifactInfo); ok {
r0 = rf(artifactID)
} else {
r0 = ret.Get(0).(types.ArtifactInfo)
}
var r1 error
if rf, ok := ret.Get(1).(func(string) error); ok {
r1 = rf(artifactID)
} else {
r1 = ret.Error(1)
}
return r0, r1
}
type LocalArtifactCacheGetBlobArgs struct {
BlobID string
BlobIDAnything bool
}
type LocalArtifactCacheGetBlobReturns struct {
BlobInfo types.BlobInfo
Err error
}
type LocalArtifactCacheGetBlobExpectation struct {
Args LocalArtifactCacheGetBlobArgs
Returns LocalArtifactCacheGetBlobReturns
}
func (_m *MockLocalArtifactCache) ApplyGetBlobExpectation(e LocalArtifactCacheGetBlobExpectation) {
var args []interface{}
if e.Args.BlobIDAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.BlobID)
}
_m.On("GetBlob", args...).Return(e.Returns.BlobInfo, e.Returns.Err)
}
func (_m *MockLocalArtifactCache) ApplyGetBlobExpectations(expectations []LocalArtifactCacheGetBlobExpectation) {
for _, e := range expectations {
_m.ApplyGetBlobExpectation(e)
}
}
// GetBlob provides a mock function with given fields: blobID
func (_m *MockLocalArtifactCache) GetBlob(blobID string) (types.BlobInfo, error) {
ret := _m.Called(blobID)
var r0 types.BlobInfo
if rf, ok := ret.Get(0).(func(string) types.BlobInfo); ok {
r0 = rf(blobID)
} else {
r0 = ret.Get(0).(types.BlobInfo)
}
var r1 error
if rf, ok := ret.Get(1).(func(string) error); ok {
r1 = rf(blobID)
} else {
r1 = ret.Error(1)
}
return r0, r1
}

8
pkg/commands/app.go
View File

@@ -520,6 +520,13 @@ func NewConvertCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
ReportFlagGroup: flag.NewReportFlagGroup(),
}
// To display the summary table, we need to enable scanners (to build columns).
// We can't get scanner information from the report (we don't include empty licenses and secrets in the report).
// So we need to ask the user to configure scanners (if needed).
convertFlags.ScanFlagGroup.Scanners = flag.ScannersFlag.Clone()
convertFlags.ScanFlagGroup.Scanners.Default = nil // disable default scanners
convertFlags.ScanFlagGroup.Scanners.Usage = "List of scanners included when generating the json report. Used only for rendering the summary table."
cmd := &cobra.Command{
Use: "convert [flags] RESULT_JSON",
Aliases: []string{"conv"},
@@ -977,6 +984,7 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
}
reportFlagGroup.Compliance = compliance // override usage as the accepted values differ for each subcommand.
reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
reportFlagGroup.TableMode = nil // disable '--table-mode'
formatFlag := flag.FormatFlag.Clone()
formatFlag.Values = xstrings.ToStringSlice([]types.Format{

117
pkg/commands/artifact/inject.go
View File

@@ -12,97 +12,100 @@ import (
"github.com/aquasecurity/trivy/pkg/fanal/artifact"
"github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/rpc/client"
"github.com/aquasecurity/trivy/pkg/scanner"
"github.com/aquasecurity/trivy/pkg/scan"
)
//////////////
// Standalone
//////////////
// initializeImageScanner is for container image scanning in standalone mode
// initializeImageScanService is for container image scanning in standalone mode
// e.g. dockerd, container registry, podman, etc.
func initializeImageScanner(ctx context.Context, imageName string, imageOpt types.ImageOptions, cacheOptions cache.Options, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneDockerSet)
return scanner.Scanner{}, nil, nil
func initializeImageScanService(ctx context.Context, imageName string, imageOpt types.ImageOptions, cacheOptions cache.Options, artifactOption artifact.Option) (
scan.Service, func(), error) {
wire.Build(scan.StandaloneDockerSet)
return scan.Service{}, nil, nil
}
// initializeArchiveScanner is for container image archive scanning in standalone mode
// initializeArchiveScanService is for container image archive scanning in standalone mode
// e.g. docker save -o alpine.tar alpine:3.15
func initializeArchiveScanner(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneArchiveSet)
return scanner.Scanner{}, nil, nil
func initializeArchiveScanService(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (
scan.Service, func(), error) {
wire.Build(scan.StandaloneArchiveSet)
return scan.Service{}, nil, nil
}
// initializeFilesystemScanner is for filesystem scanning in standalone mode
func initializeFilesystemScanner(ctx context.Context, path string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneFilesystemSet)
return scanner.Scanner{}, nil, nil
// initializeFilesystemScanService is for filesystem scanning in standalone mode
func initializeFilesystemScanService(ctx context.Context, path string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
wire.Build(scan.StandaloneFilesystemSet)
return scan.Service{}, nil, nil
}
func initializeRepositoryScanner(ctx context.Context, url string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneRepositorySet)
return scanner.Scanner{}, nil, nil
// initializeRepositoryScanService is for repository scanning in standalone mode
func initializeRepositoryScanService(ctx context.Context, url string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
wire.Build(scan.StandaloneRepositorySet)
return scan.Service{}, nil, nil
}
func initializeSBOMScanner(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneSBOMSet)
return scanner.Scanner{}, nil, nil
// initializeSBOMScanService is for sbom scanning in standalone mode
func initializeSBOMScanService(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
wire.Build(scan.StandaloneSBOMSet)
return scan.Service{}, nil, nil
}
func initializeVMScanner(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.StandaloneVMSet)
return scanner.Scanner{}, nil, nil
// initializeVMScanService is for vm scanning in standalone mode
func initializeVMScanService(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (
scan.Service, func(), error) {
wire.Build(scan.StandaloneVMSet)
return scan.Service{}, nil, nil
}
/////////////////
// Client/Server
/////////////////
// initializeRemoteImageScanner is for container image scanning in client/server mode
// initializeRemoteImageScanService is for container image scanning in client/server mode
// e.g. dockerd, container registry, podman, etc.
func initializeRemoteImageScanner(ctx context.Context, imageName string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ScannerOption, imageOpt types.ImageOptions, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.RemoteDockerSet)
return scanner.Scanner{}, nil, nil
func initializeRemoteImageScanService(ctx context.Context, imageName string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ServiceOption, imageOpt types.ImageOptions, artifactOption artifact.Option) (
scan.Service, func(), error) {
wire.Build(scan.RemoteDockerSet)
return scan.Service{}, nil, nil
}
// initializeRemoteArchiveScanner is for container image archive scanning in client/server mode
// initializeRemoteArchiveScanService is for container image archive scanning in client/server mode
// e.g. docker save -o alpine.tar alpine:3.15
func initializeRemoteArchiveScanner(ctx context.Context, filePath string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.RemoteArchiveSet)
return scanner.Scanner{}, nil, nil
func initializeRemoteArchiveScanService(ctx context.Context, filePath string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
wire.Build(scan.RemoteArchiveSet)
return scan.Service{}, nil, nil
}
// initializeRemoteFilesystemScanner is for filesystem scanning in client/server mode
func initializeRemoteFilesystemScanner(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.RemoteFilesystemSet)
return scanner.Scanner{}, nil, nil
// initializeRemoteFilesystemScanService is for filesystem scanning in client/server mode
func initializeRemoteFilesystemScanService(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
wire.Build(scan.RemoteFilesystemSet)
return scan.Service{}, nil, nil
}
// initializeRemoteRepositoryScanner is for repository scanning in client/server mode
func initializeRemoteRepositoryScanner(ctx context.Context, url string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (
scanner.Scanner, func(), error) {
wire.Build(scanner.RemoteRepositorySet)
return scanner.Scanner{}, nil, nil
// initializeRemoteRepositoryScanService is for repository scanning in client/server mode
func initializeRemoteRepositoryScanService(ctx context.Context, url string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (
scan.Service, func(), error) {
wire.Build(scan.RemoteRepositorySet)
return scan.Service{}, nil, nil
}
// initializeRemoteSBOMScanner is for sbom scanning in client/server mode
func initializeRemoteSBOMScanner(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.RemoteSBOMSet)
return scanner.Scanner{}, nil, nil
// initializeRemoteSBOMScanService is for sbom scanning in client/server mode
func initializeRemoteSBOMScanService(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
wire.Build(scan.RemoteSBOMSet)
return scan.Service{}, nil, nil
}
// initializeRemoteVMScanner is for vm scanning in client/server mode
func initializeRemoteVMScanner(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
wire.Build(scanner.RemoteVMSet)
return scanner.Scanner{}, nil, nil
// initializeRemoteVMScanService is for vm scanning in client/server mode
func initializeRemoteVMScanService(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions,
remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
wire.Build(scan.RemoteVMSet)
return scan.Service{}, nil, nil
}

121
pkg/commands/artifact/run.go
View File

@@ -25,10 +25,11 @@ import (
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/misconf"
"github.com/aquasecurity/trivy/pkg/module"
"github.com/aquasecurity/trivy/pkg/policy"
pkgReport "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/result"
"github.com/aquasecurity/trivy/pkg/rpc/client"
"github.com/aquasecurity/trivy/pkg/scanner"
"github.com/aquasecurity/trivy/pkg/scan"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/pkg/version/doc"
)
@@ -49,8 +50,8 @@ var (
SkipScan = errors.New("skip subsequent processes")
)
// InitializeScanner defines the initialize function signature of scanner
type InitializeScanner func(context.Context, ScannerConfig) (scanner.Scanner, func(), error)
// InitializeScanService defines the initialize function signature of scan service
type InitializeScanService func(context.Context, ScannerConfig) (scan.Service, func(), error)
type ScannerConfig struct {
// e.g. image name and file path
@@ -61,7 +62,7 @@ type ScannerConfig struct {
RemoteCacheOptions cache.RemoteOptions
// Client/Server options
ServerOption client.ScannerOption
ServerOption client.ServiceOption
// Artifact options
ArtifactOption artifact.Option
@@ -89,8 +90,8 @@ type Runner interface {
}
type runner struct {
initializeScanner InitializeScanner
dbOpen bool
initializeScanService InitializeScanService
dbOpen bool
// WASM modules
module *module.Manager
@@ -98,11 +99,11 @@ type runner struct {
type RunnerOption func(*runner)
// WithInitializeScanner takes a custom scanner initialization function.
// WithInitializeService takes a custom service initialization function.
// It is useful when Trivy is imported as a library.
func WithInitializeScanner(f InitializeScanner) RunnerOption {
func WithInitializeService(f InitializeScanService) RunnerOption {
return func(r *runner) {
r.initializeScanner = f
r.initializeScanService = f
}
}
@@ -157,20 +158,20 @@ func (r *runner) ScanImage(ctx context.Context, opts flag.Options) (types.Report
// Disable the lock file scanning
opts.DisabledAnalyzers = analyzer.TypeLockfiles
var s InitializeScanner
var s InitializeScanService
switch {
case opts.Input != "" && opts.ServerAddr == "":
// Scan image tarball in standalone mode
s = archiveStandaloneScanner
s = archiveStandaloneScanService
case opts.Input != "" && opts.ServerAddr != "":
// Scan image tarball in client/server mode
s = archiveRemoteScanner
s = archiveRemoteScanService
case opts.Input == "" && opts.ServerAddr == "":
// Scan container image in standalone mode
s = imageStandaloneScanner
s = imageStandaloneScanService
case opts.Input == "" && opts.ServerAddr != "":
// Scan container image in client/server mode
s = imageRemoteScanner
s = imageRemoteScanService
}
return r.scanArtifact(ctx, opts, s)
@@ -192,13 +193,13 @@ func (r *runner) ScanRootfs(ctx context.Context, opts flag.Options) (types.Repor
}
func (r *runner) scanFS(ctx context.Context, opts flag.Options) (types.Report, error) {
var s InitializeScanner
var s InitializeScanService
if opts.ServerAddr == "" {
// Scan filesystem in standalone mode
s = filesystemStandaloneScanner
s = filesystemStandaloneScanService
} else {
// Scan filesystem in client/server mode
s = filesystemRemoteScanner
s = filesystemRemoteScanService
}
return r.scanArtifact(ctx, opts, s)
@@ -212,25 +213,25 @@ func (r *runner) ScanRepository(ctx context.Context, opts flag.Options) (types.R
opts.DisabledAnalyzers = append(analyzer.TypeIndividualPkgs, analyzer.TypeOSes...)
opts.DisabledAnalyzers = append(opts.DisabledAnalyzers, analyzer.TypeSBOM)
var s InitializeScanner
var s InitializeScanService
if opts.ServerAddr == "" {
// Scan repository in standalone mode
s = repositoryStandaloneScanner
s = repositoryStandaloneScanService
} else {
// Scan repository in client/server mode
s = repositoryRemoteScanner
s = repositoryRemoteScanService
}
return r.scanArtifact(ctx, opts, s)
}
func (r *runner) ScanSBOM(ctx context.Context, opts flag.Options) (types.Report, error) {
var s InitializeScanner
var s InitializeScanService
if opts.ServerAddr == "" {
// Scan cycloneDX in standalone mode
s = sbomStandaloneScanner
s = sbomStandaloneScanService
} else {
// Scan cycloneDX in client/server mode
s = sbomRemoteScanner
s = sbomRemoteScanService
}
return r.scanArtifact(ctx, opts, s)
@@ -240,23 +241,23 @@ func (r *runner) ScanVM(ctx context.Context, opts flag.Options) (types.Report, e
// TODO: Does VM scan disable lock file..?
opts.DisabledAnalyzers = analyzer.TypeLockfiles
var s InitializeScanner
var s InitializeScanService
if opts.ServerAddr == "" {
// Scan virtual machine in standalone mode
s = vmStandaloneScanner
s = vmStandaloneScanService
} else {
// Scan virtual machine in client/server mode
s = vmRemoteScanner
s = vmRemoteScanService
}
return r.scanArtifact(ctx, opts, s)
}
func (r *runner) scanArtifact(ctx context.Context, opts flag.Options, initializeScanner InitializeScanner) (types.Report, error) {
if r.initializeScanner != nil {
initializeScanner = r.initializeScanner
func (r *runner) scanArtifact(ctx context.Context, opts flag.Options, initializeService InitializeScanService) (types.Report, error) {
if r.initializeScanService != nil {
initializeService = r.initializeScanService
}
report, err := r.scan(ctx, opts, initializeScanner)
report, err := r.scan(ctx, opts, initializeService)
if err != nil {
return types.Report{}, xerrors.Errorf("scan error: %w", err)
}
@@ -340,7 +341,7 @@ func Run(ctx context.Context, opts flag.Options, targetKind TargetKind) (err err
defer func() {
if errors.Is(err, context.DeadlineExceeded) {
// e.g. https://aquasecurity.github.io/trivy/latest/docs/configuration/
// e.g. https://trivy.dev/latest/docs/configuration/
log.WarnContext(ctx, fmt.Sprintf("Provide a higher timeout value, see %s", doc.URL("/docs/configuration/", "")))
}
}()
@@ -418,7 +419,6 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
// Specified analyzers to be disabled depending on scanning modes
// e.g. The 'image' subcommand should disable the lock file scanning.
analyzers := opts.DisabledAnalyzers
// It doesn't analyze apk commands by default.
if !opts.ScanRemovedPkgs {
analyzers = append(analyzers, analyzer.TypeApkCommand)
@@ -434,18 +434,16 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
analyzers = append(analyzers, analyzer.TypeSecret)
}
// Filter only enabled misconfiguration scanners
ma, err := filterMisconfigAnalyzers(opts.MisconfigScanners, analyzer.TypeConfigFiles)
if err != nil {
log.Error("Invalid misconfiguration scanners specified, defaulting to use all misconfig scanners",
log.Any("scanners", opts.MisconfigScanners))
} else {
analyzers = append(analyzers, ma...)
}
// Do not perform misconfiguration scanning when it is not specified.
if !opts.Scanners.AnyEnabled(types.MisconfigScanner, types.RBACScanner) {
analyzers = append(analyzers, analyzer.TypeConfigFiles...)
} else {
// Filter only enabled misconfiguration scanners
ma := disabledMisconfigAnalyzers(opts.MisconfigScanners)
analyzers = append(analyzers, ma...)
log.Debug("Enabling misconfiguration scanners",
log.Any("scanners", lo.Without(analyzer.TypeConfigFiles, ma...)))
}
// Scanning file headers and license files is expensive.
@@ -482,14 +480,17 @@ func disabledAnalyzers(opts flag.Options) []analyzer.Type {
return analyzers
}
func filterMisconfigAnalyzers(included, all []analyzer.Type) ([]analyzer.Type, error) {
_, missing := lo.Difference(all, included)
func disabledMisconfigAnalyzers(included []analyzer.Type) []analyzer.Type {
_, missing := lo.Difference(analyzer.TypeConfigFiles, included)
if len(missing) > 0 {
return nil, xerrors.Errorf("invalid misconfiguration scanner specified %s valid scanners: %s", missing, all)
log.Error(
"Invalid misconfiguration scanners provided, using default scanners",
log.Any("invalid_scanners", missing), log.Any("default_scanners", analyzer.TypeConfigFiles),
)
return nil
}
log.Debug("Enabling misconfiguration scanners", log.Any("scanners", included))
return lo.Without(all, included...), nil
return lo.Without(analyzer.TypeConfigFiles, included...)
}
func (r *runner) initScannerConfig(ctx context.Context, opts flag.Options) (ScannerConfig, types.ScanOptions, error) {
@@ -529,7 +530,7 @@ func (r *runner) initScannerConfig(ctx context.Context, opts flag.Options) (Scan
logger := log.WithPrefix(log.PrefixSecret)
logger.Info("Secret scanning is enabled")
logger.Info("If your scanning is slow, please try '--scanners vuln' to disable secret scanning")
// e.g. https://aquasecurity.github.io/trivy/latest/docs/scanner/secret/#recommendation
// e.g. https://trivy.dev/latest/docs/scanner/secret/#recommendation
logger.Info(fmt.Sprintf("Please see also %s for faster secret detection", doc.URL("/docs/scanner/secret/", "recommendation")))
} else {
opts.SecretConfigPath = ""
@@ -613,14 +614,14 @@ func (r *runner) initScannerConfig(ctx context.Context, opts flag.Options) (Scan
}, scanOptions, nil
}
func (r *runner) scan(ctx context.Context, opts flag.Options, initializeScanner InitializeScanner) (types.Report, error) {
func (r *runner) scan(ctx context.Context, opts flag.Options, initializeService InitializeScanService) (types.Report, error) {
scannerConfig, scanOptions, err := r.initScannerConfig(ctx, opts)
if err != nil {
return types.Report{}, err
}
s, cleanup, err := initializeScanner(ctx, scannerConfig)
s, cleanup, err := initializeService(ctx, scannerConfig)
if err != nil {
return types.Report{}, xerrors.Errorf("unable to initialize a scanner: %w", err)
return types.Report{}, xerrors.Errorf("unable to initialize a scan service: %w", err)
}
defer cleanup()
@@ -635,19 +636,27 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
ctx = log.WithContextPrefix(ctx, log.PrefixMisconfiguration)
log.InfoContext(ctx, "Misconfiguration scanning is enabled")
var downloadedPolicyPaths []string
var downloadedPolicyPath string
var disableEmbedded bool
downloadedPolicyPaths, err := operation.InitBuiltinChecks(ctx, opts.CacheDir, opts.Quiet, opts.SkipCheckUpdate, opts.MisconfOptions.ChecksBundleRepository, opts.RegistryOpts())
c, err := policy.NewClient(opts.CacheDir, opts.Quiet, opts.MisconfOptions.ChecksBundleRepository)
if err != nil {
if !opts.SkipCheckUpdate {
log.ErrorContext(ctx, "Falling back to embedded checks", log.Err(err))
}
return misconf.ScannerOption{}, xerrors.Errorf("check client error: %w", err)
}
downloadedPolicyPath, err = operation.InitBuiltinChecks(ctx, c, opts.SkipCheckUpdate, opts.RegistryOpts())
if err != nil {
log.ErrorContext(ctx, "Falling back to embedded checks", log.Err(err))
} else {
log.DebugContext(ctx, "Checks successfully loaded from disk")
disableEmbedded = true
}
policyPaths := slices.Clone(opts.CheckPaths)
if downloadedPolicyPath != "" {
policyPaths = append(policyPaths, downloadedPolicyPath)
}
configSchemas, err := misconf.LoadConfigSchemas(opts.ConfigFileSchemas)
if err != nil {
return misconf.ScannerOption{}, xerrors.Errorf("load schemas error: %w", err)
@@ -656,7 +665,7 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
return misconf.ScannerOption{
Trace: opts.Trace,
Namespaces: append(opts.CheckNamespaces, rego.BuiltinNamespaces()...),
PolicyPaths: append(opts.CheckPaths, downloadedPolicyPaths...),
PolicyPaths: policyPaths,
DataPaths: opts.DataPaths,
HelmValues: opts.HelmValues,
HelmValueFiles: opts.HelmValueFiles,

99
pkg/commands/artifact/scanner.go
View File

@@ -5,121 +5,120 @@ import (
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/scanner"
"github.com/aquasecurity/trivy/pkg/scan"
)
// imageStandaloneScanner initializes a container image scanner in standalone mode
// imageStandaloneScanService initializes a container image scan service in standalone mode
// $ trivy image alpine:3.15
func imageStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeImageScanner(ctx, conf.Target, conf.ArtifactOption.ImageOption, conf.CacheOptions, conf.ArtifactOption)
func imageStandaloneScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeImageScanService(ctx, conf.Target, conf.ArtifactOption.ImageOption, conf.CacheOptions, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize an image scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize an image scan service: %w", err)
}
return s, cleanup, nil
}
// archiveStandaloneScanner initializes an image archive scanner in standalone mode
// archiveStandaloneScanService initializes an image archive scan srevice in standalone mode
// $ trivy image --input alpine.tar
func archiveStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeArchiveScanner(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
func archiveStandaloneScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeArchiveScanService(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize the archive scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize the archive scan service: %w", err)
}
return s, cleanup, nil
}
// imageRemoteScanner initializes a container image scanner in client/server mode
// imageRemoteScanService initializes a container image scan service in client/server mode
// $ trivy image --server localhost:4954 alpine:3.15
func imageRemoteScanner(ctx context.Context, conf ScannerConfig) (
scanner.Scanner, func(), error) {
s, cleanup, err := initializeRemoteImageScanner(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption,
func imageRemoteScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeRemoteImageScanService(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption,
conf.ArtifactOption.ImageOption, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, nil, xerrors.Errorf("unable to initialize a remote image scanner: %w", err)
return scan.Service{}, nil, xerrors.Errorf("unable to initialize a remote image scan service: %w", err)
}
return s, cleanup, nil
}
// archiveRemoteScanner initializes an image archive scanner in client/server mode
// archiveRemoteScanService initializes an image archive scan service in client/server mode
// $ trivy image --server localhost:4954 --input alpine.tar
func archiveRemoteScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
func archiveRemoteScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
// Scan tar file
s, cleanup, err := initializeRemoteArchiveScanner(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
s, cleanup, err := initializeRemoteArchiveScanService(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, nil, xerrors.Errorf("unable to initialize the remote archive scanner: %w", err)
return scan.Service{}, nil, xerrors.Errorf("unable to initialize the remote archive scan service: %w", err)
}
return s, cleanup, nil
}
// filesystemStandaloneScanner initializes a filesystem scanner in standalone mode
func filesystemStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeFilesystemScanner(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
// filesystemStandaloneScanService initializes a filesystem scan service in standalone mode
func filesystemStandaloneScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeFilesystemScanService(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a filesystem scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a filesystem scan service: %w", err)
}
return s, cleanup, nil
}
// filesystemRemoteScanner initializes a filesystem scanner in client/server mode
func filesystemRemoteScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeRemoteFilesystemScanner(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
// filesystemRemoteScanService initializes a filesystem scan service in client/server mode
func filesystemRemoteScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeRemoteFilesystemScanService(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a remote filesystem scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a remote filesystem scan service: %w", err)
}
return s, cleanup, nil
}
// repositoryStandaloneScanner initializes a repository scanner in standalone mode
func repositoryStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeRepositoryScanner(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
// repositoryStandaloneScanService initializes a repository scan service in standalone mode
func repositoryStandaloneScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeRepositoryScanService(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a repository scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a repository scan service: %w", err)
}
return s, cleanup, nil
}
// repositoryRemoteScanner initializes a repository scanner in client/server mode
func repositoryRemoteScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeRemoteRepositoryScanner(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption,
// repositoryRemoteScanService initializes a repository scan service in client/server mode
func repositoryRemoteScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeRemoteRepositoryScanService(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption,
conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a remote repository scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a remote repository scan service: %w", err)
}
return s, cleanup, nil
}
// sbomStandaloneScanner initializes a SBOM scanner in standalone mode
func sbomStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeSBOMScanner(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
// sbomStandaloneScanService initializes a SBOM scan service in standalone mode
func sbomStandaloneScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeSBOMScanService(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a cycloneDX scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a cycloneDX scan service: %w", err)
}
return s, cleanup, nil
}
// sbomRemoteScanner initializes a SBOM scanner in client/server mode
func sbomRemoteScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeRemoteSBOMScanner(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
// sbomRemoteScanService initializes a SBOM scan service in client/server mode
func sbomRemoteScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeRemoteSBOMScanService(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a remote cycloneDX scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a remote cycloneDX scan service: %w", err)
}
return s, cleanup, nil
}
// vmStandaloneScanner initializes a VM scanner in standalone mode
func vmStandaloneScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeVMScanner(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
// vmStandaloneScanService initializes a VM scan service in standalone mode
func vmStandaloneScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeVMScanService(ctx, conf.Target, conf.CacheOptions, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a vm scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a vm scan service: %w", err)
}
return s, cleanup, nil
}
// vmRemoteScanner initializes a VM scanner in client/server mode
func vmRemoteScanner(ctx context.Context, conf ScannerConfig) (scanner.Scanner, func(), error) {
s, cleanup, err := initializeRemoteVMScanner(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
// vmRemoteScanService initializes a VM scan service in client/server mode
func vmRemoteScanService(ctx context.Context, conf ScannerConfig) (scan.Service, func(), error) {
s, cleanup, err := initializeRemoteVMScanService(ctx, conf.Target, conf.RemoteCacheOptions, conf.ServerOption, conf.ArtifactOption)
if err != nil {
return scanner.Scanner{}, func() {}, xerrors.Errorf("unable to initialize a remote vm scanner: %w", err)
return scan.Service{}, func() {}, xerrors.Errorf("unable to initialize a remote vm scan service: %w", err)
}
return s, cleanup, nil
}

183
pkg/commands/artifact/wire_gen.go
View File

@@ -1,6 +1,6 @@
// Code generated by Wire. DO NOT EDIT.
//go:generate go run github.com/google/wire/cmd/wire
//go:generate go run -mod=mod github.com/google/wire/cmd/wire
//go:build !wireinject
// +build !wireinject
@@ -21,185 +21,188 @@ import (
"github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/fanal/walker"
"github.com/aquasecurity/trivy/pkg/rpc/client"
"github.com/aquasecurity/trivy/pkg/scanner"
"github.com/aquasecurity/trivy/pkg/scanner/langpkg"
"github.com/aquasecurity/trivy/pkg/scanner/local"
"github.com/aquasecurity/trivy/pkg/scanner/ospkg"
"github.com/aquasecurity/trivy/pkg/scan"
"github.com/aquasecurity/trivy/pkg/scan/langpkg"
"github.com/aquasecurity/trivy/pkg/scan/local"
"github.com/aquasecurity/trivy/pkg/scan/ospkg"
"github.com/aquasecurity/trivy/pkg/vulnerability"
)
// Injectors from inject.go:
// initializeImageScanner is for container image scanning in standalone mode
// initializeImageScanService is for container image scanning in standalone mode
// e.g. dockerd, container registry, podman, etc.
func initializeImageScanner(ctx context.Context, imageName string, imageOpt types.ImageOptions, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
func initializeImageScanService(ctx context.Context, imageName string, imageOpt types.ImageOptions, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
cacheCache, cleanup, err := cache.New(cacheOptions)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
applierApplier := applier.NewApplier(cacheCache)
ospkgScanner := ospkg.NewScanner()
scanner := ospkg.NewScanner()
langpkgScanner := langpkg.NewScanner()
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, ospkgScanner, langpkgScanner, client)
service := local.NewService(applierApplier, scanner, langpkgScanner, client)
typesImage, cleanup2, err := image.NewContainerImage(ctx, imageName, imageOpt)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
artifactArtifact, err := image2.NewArtifact(typesImage, cacheCache, artifactOption)
if err != nil {
cleanup2()
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(localScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup2()
cleanup()
}, nil
}
// initializeArchiveScanner is for container image archive scanning in standalone mode
// initializeArchiveScanService is for container image archive scanning in standalone mode
// e.g. docker save -o alpine.tar alpine:3.15
func initializeArchiveScanner(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
func initializeArchiveScanService(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
cacheCache, cleanup, err := cache.New(cacheOptions)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
applierApplier := applier.NewApplier(cacheCache)
ospkgScanner := ospkg.NewScanner()
scanner := ospkg.NewScanner()
langpkgScanner := langpkg.NewScanner()
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, ospkgScanner, langpkgScanner, client)
service := local.NewService(applierApplier, scanner, langpkgScanner, client)
typesImage, err := image.NewArchiveImage(filePath)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
artifactArtifact, err := image2.NewArtifact(typesImage, cacheCache, artifactOption)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(localScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup()
}, nil
}
// initializeFilesystemScanner is for filesystem scanning in standalone mode
func initializeFilesystemScanner(ctx context.Context, path string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeFilesystemScanService is for filesystem scanning in standalone mode
func initializeFilesystemScanService(ctx context.Context, path string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
cacheCache, cleanup, err := cache.New(cacheOptions)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
applierApplier := applier.NewApplier(cacheCache)
ospkgScanner := ospkg.NewScanner()
scanner := ospkg.NewScanner()
langpkgScanner := langpkg.NewScanner()
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, ospkgScanner, langpkgScanner, client)
service := local.NewService(applierApplier, scanner, langpkgScanner, client)
fs := walker.NewFS()
artifactArtifact, err := local2.NewArtifact(path, cacheCache, fs, artifactOption)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(localScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup()
}, nil
}
func initializeRepositoryScanner(ctx context.Context, url string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeRepositoryScanService is for repository scanning in standalone mode
func initializeRepositoryScanService(ctx context.Context, url string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
cacheCache, cleanup, err := cache.New(cacheOptions)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
applierApplier := applier.NewApplier(cacheCache)
ospkgScanner := ospkg.NewScanner()
scanner := ospkg.NewScanner()
langpkgScanner := langpkg.NewScanner()
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, ospkgScanner, langpkgScanner, client)
service := local.NewService(applierApplier, scanner, langpkgScanner, client)
fs := walker.NewFS()
artifactArtifact, cleanup2, err := repo.NewArtifact(url, cacheCache, fs, artifactOption)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(localScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup2()
cleanup()
}, nil
}
func initializeSBOMScanner(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeSBOMScanService is for sbom scanning in standalone mode
func initializeSBOMScanService(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
cacheCache, cleanup, err := cache.New(cacheOptions)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
applierApplier := applier.NewApplier(cacheCache)
ospkgScanner := ospkg.NewScanner()
scanner := ospkg.NewScanner()
langpkgScanner := langpkg.NewScanner()
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, ospkgScanner, langpkgScanner, client)
service := local.NewService(applierApplier, scanner, langpkgScanner, client)
artifactArtifact, err := sbom.NewArtifact(filePath, cacheCache, artifactOption)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(localScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup()
}, nil
}
func initializeVMScanner(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeVMScanService is for vm scanning in standalone mode
func initializeVMScanService(ctx context.Context, filePath string, cacheOptions cache.Options, artifactOption artifact.Option) (scan.Service, func(), error) {
cacheCache, cleanup, err := cache.New(cacheOptions)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
applierApplier := applier.NewApplier(cacheCache)
ospkgScanner := ospkg.NewScanner()
scanner := ospkg.NewScanner()
langpkgScanner := langpkg.NewScanner()
config := db.Config{}
client := vulnerability.NewClient(config)
localScanner := local.NewScanner(applierApplier, ospkgScanner, langpkgScanner, client)
service := local.NewService(applierApplier, scanner, langpkgScanner, client)
walkerVM := walker.NewVM()
artifactArtifact, err := vm.NewArtifact(filePath, cacheCache, walkerVM, artifactOption)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(localScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup()
}, nil
}
// initializeRemoteImageScanner is for container image scanning in client/server mode
// initializeRemoteImageScanService is for container image scanning in client/server mode
// e.g. dockerd, container registry, podman, etc.
func initializeRemoteImageScanner(ctx context.Context, imageName string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ScannerOption, imageOpt types.ImageOptions, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
func initializeRemoteImageScanService(ctx context.Context, imageName string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ServiceOption, imageOpt types.ImageOptions, artifactOption artifact.Option) (scan.Service, func(), error) {
v := _wireValue
clientScanner := client.NewScanner(remoteScanOptions, v...)
service := client.NewService(remoteScanOptions, v...)
typesImage, cleanup, err := image.NewContainerImage(ctx, imageName, imageOpt)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
remoteCache := cache.NewRemoteCache(remoteCacheOptions)
artifactArtifact, err := image2.NewArtifact(typesImage, remoteCache, artifactOption)
if err != nil {
cleanup()
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(clientScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup()
}, nil
}
@@ -208,81 +211,81 @@ var (
_wireValue = []client.Option(nil)
)
// initializeRemoteArchiveScanner is for container image archive scanning in client/server mode
// initializeRemoteArchiveScanService is for container image archive scanning in client/server mode
// e.g. docker save -o alpine.tar alpine:3.15
func initializeRemoteArchiveScanner(ctx context.Context, filePath string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
func initializeRemoteArchiveScanService(ctx context.Context, filePath string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
v := _wireValue
clientScanner := client.NewScanner(remoteScanOptions, v...)
service := client.NewService(remoteScanOptions, v...)
typesImage, err := image.NewArchiveImage(filePath)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
remoteCache := cache.NewRemoteCache(remoteCacheOptions)
artifactArtifact, err := image2.NewArtifact(typesImage, remoteCache, artifactOption)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(clientScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
}, nil
}
// initializeRemoteFilesystemScanner is for filesystem scanning in client/server mode
func initializeRemoteFilesystemScanner(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeRemoteFilesystemScanService is for filesystem scanning in client/server mode
func initializeRemoteFilesystemScanService(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
v := _wireValue
clientScanner := client.NewScanner(remoteScanOptions, v...)
service := client.NewService(remoteScanOptions, v...)
remoteCache := cache.NewRemoteCache(remoteCacheOptions)
fs := walker.NewFS()
artifactArtifact, err := local2.NewArtifact(path, remoteCache, fs, artifactOption)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(clientScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
}, nil
}
// initializeRemoteRepositoryScanner is for repository scanning in client/server mode
func initializeRemoteRepositoryScanner(ctx context.Context, url string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeRemoteRepositoryScanService is for repository scanning in client/server mode
func initializeRemoteRepositoryScanService(ctx context.Context, url string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
v := _wireValue
clientScanner := client.NewScanner(remoteScanOptions, v...)
service := client.NewService(remoteScanOptions, v...)
remoteCache := cache.NewRemoteCache(remoteCacheOptions)
fs := walker.NewFS()
artifactArtifact, cleanup, err := repo.NewArtifact(url, remoteCache, fs, artifactOption)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(clientScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
cleanup()
}, nil
}
// initializeRemoteSBOMScanner is for sbom scanning in client/server mode
func initializeRemoteSBOMScanner(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeRemoteSBOMScanService is for sbom scanning in client/server mode
func initializeRemoteSBOMScanService(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
v := _wireValue
clientScanner := client.NewScanner(remoteScanOptions, v...)
service := client.NewService(remoteScanOptions, v...)
remoteCache := cache.NewRemoteCache(remoteCacheOptions)
artifactArtifact, err := sbom.NewArtifact(path, remoteCache, artifactOption)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(clientScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
}, nil
}
// initializeRemoteVMScanner is for vm scanning in client/server mode
func initializeRemoteVMScanner(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ScannerOption, artifactOption artifact.Option) (scanner.Scanner, func(), error) {
// initializeRemoteVMScanService is for vm scanning in client/server mode
func initializeRemoteVMScanService(ctx context.Context, path string, remoteCacheOptions cache.RemoteOptions, remoteScanOptions client.ServiceOption, artifactOption artifact.Option) (scan.Service, func(), error) {
v := _wireValue
clientScanner := client.NewScanner(remoteScanOptions, v...)
service := client.NewService(remoteScanOptions, v...)
remoteCache := cache.NewRemoteCache(remoteCacheOptions)
walkerVM := walker.NewVM()
artifactArtifact, err := vm.NewArtifact(path, remoteCache, walkerVM, artifactOption)
if err != nil {
return scanner.Scanner{}, nil, err
return scan.Service{}, nil, err
}
scannerScanner := scanner.NewScanner(clientScanner, artifactArtifact)
return scannerScanner, func() {
scanService := scan.NewService(service, artifactArtifact)
return scanService, func() {
}, nil
}

Some files were not shown because too many files have changed in this diff Show More