gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-09 14:20:47 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.62.1
Branches Tags
gitea-mirror:main gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:release/v0.63
Branches Tags
gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/docker-fd300ea992 gitea-mirror:release-please--branches--release/v0.68 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:dependabot/go_modules/github.com/quic-go/quic-go-0.54.1 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

58 Commits
v0.62.1 ... release/v0

Author SHA1 Message Date
Aqua Security automated builds
69093d2c23 release: v0.63.0 [main] (#8809) 2025-05-29 16:59:01 +00:00
Nikita Pivkin
7e9a54cd6b fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-29 16:35:33 +00:00
simar7
78e3304bbe chore(deps): Bump trivy-checks (#8934) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-29 12:37:47 +00:00
DmitriyLewen
22f040f947 fix(julia): add Relationship field support (#8939) 2025-05-29 11:26:55 +00:00
Daniel Wachter
c2dde33c3f feat(minimos): Add support for MinimOS (#8792) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-05-29 11:21:22 +00:00
Teppei Fukuda
104bbc18ea feat(alpine): add maintainer field extraction for APK packages (#8930) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2025-05-29 10:47:33 +00:00
Ori
c7b8cc392e feat(echo): Add Echo Support (#8833) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-05-29 10:33:29 +00:00
Romain Geissler @ Amadeus
906b037cff fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924) 2025-05-29 09:55:33 +00:00
Teppei Fukuda
b15d9a60e6 fix(wolfi): support new APK database location (#8937) 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
 2025-05-29 08:20:12 +00:00
afdesk
4f1ab23869 feat(k8s): get components from namespaced resources (#8918) 2025-05-29 03:50:21 +00:00
Nikita Pivkin
5bae2626e0 refactor(cloudformation): remove unused ScanFile method from Scanner (#8927) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-29 00:40:20 +00:00
Nikita Pivkin
4a7ebb70b4 refactor(terraform): remove result sorting from scanner (#8928) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-28 21:30:22 +00:00
simar7
3b2a3976ac feat(misconf): Add support for Minimum Trivy Version (#8880) 
Signed-off-by: Simar <simar@linux.com>
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-28 21:22:21 +00:00
Itay Shakury
1d420e669f docs: improve skipping files documentation (#8749) 2025-05-28 12:09:48 +00:00
Owen Rumney
5a0bf9ed31 feat(cli): Add available version checking (#8553) 
Signed-off-by: Owen Rumney <owen.rumney@aquasec.com>
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Co-authored-by: Itay <itay@itaysk.com>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
 2025-05-28 08:09:16 +00:00
Ashwani Kumar Kamal
7ca656d54b feat(nodejs): add a bun.lock analyzer (#8897) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-05-28 07:14:54 +00:00
Steven Masley
8939451174 feat: terraform parser option to set current working directory (#8909) 2025-05-27 18:05:51 +00:00
Peter Thomas
60fef1b615 perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-05-27 10:17:37 +00:00
Nikita Pivkin
aaecc29e90 feat(misconf): export raw Terraform data to Rego (#8741) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-27 04:34:17 +00:00
Nikita Pivkin
6c7cb7ad2d refactor(terraform): simplify AllReferences method signature in Attribute (#8906) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-24 00:09:04 +00:00
Teppei Fukuda
93e6680b1c fix: check post-analyzers for StaticPaths (#8904) 2025-05-23 08:42:32 +00:00
David du Colombier
07ef63b483 feat: add Bottlerocket OS package analyzer (#8653) 2025-05-23 07:50:59 +00:00
DmitriyLewen
ee522300b7 feat(license): improve work text licenses with custom classification (#8888) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2025-05-22 11:53:15 +00:00
dependabot[bot]
cae79d637d chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-22 09:22:59 +00:00
dependabot[bot]
bcf246ca85 chore(deps): bump the common group across 1 directory with 9 updates (#8887) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-22 06:24:24 +00:00
Teppei Fukuda
0229eb70ab refactor(license): simplify compound license scanning (#8896) 2025-05-21 11:23:49 +00:00
Jonatan Lindström
39f9ed128b feat(license): Support compound licenses (licenses using SPDX operators) (#8816) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-05-21 08:33:52 +00:00
Nikita Pivkin
fe127715e5 fix(k8s): use in-memory cache backend during misconfig scanning (#8873) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-21 00:22:23 +00:00
Ashwani Kumar Kamal
1dcf81666f feat(nodejs): add bun.lock parser (#8851) 
Signed-off-by: Ashwani Kumar Kamal (sneaky-potato) <ashwanikamal.im421@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-05-20 14:00:47 +00:00
DmitriyLewen
c321fdfcdd feat(license): improve work with custom classification of licenses from config file (#8861) 2025-05-20 07:57:09 +00:00
DmitriyLewen
69a5fa18ca fix(cli): disable --skip-dir and --skip-files flags for sbom command (#8886) 2025-05-19 12:58:19 +00:00
Sandro
be8c7b796d fix: julia parser panicing (#8883) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-05-19 09:47:44 +00:00
DmitriyLewen
6aff7b0c4f refactor(db): change logic to detect wrong DB (#8864) 2025-05-19 05:01:50 +00:00
DmitriyLewen
35e88890c3 fix(cli): don't use allow values for --compliance flag (#8881) 2025-05-16 10:15:32 +00:00
simar7
239f65a45c docs(misconf): Reorganize misconfiguration scan pages (#8206) 2025-05-16 00:36:35 +00:00
DmitriyLewen
38f17c945e fix(server): add missed Relationship field for rpc (#8872) 2025-05-15 05:47:04 +00:00
Teppei Fukuda
0b0e4061ef feat: add JSONC support for comments and trailing commas (#8862) 2025-05-13 10:24:11 +00:00
DmitriyLewen
e97af9806a fix(vex): use lo.IsNil to check VEX from OCI artifact (#8858) 2025-05-13 06:40:15 +00:00
Teppei Fukuda
26437be083 feat(go): support license scanning in both GOPATH and vendor (#8843) 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-05-12 09:24:10 +00:00
DmitriyLewen
9256804df8 fix(redhat): save contentSets for OS packages in fs/vm modes (#8820) 2025-05-12 06:26:14 +00:00
DmitriyLewen
6ebde88dbc fix: filter all files when processing files installed from package managers (#8842) 2025-05-08 04:50:57 +00:00
Nikita Pivkin
a516775da6 feat(misconf): add misconfiguration location to junit template (#8793) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-07 23:52:32 +00:00
DmitriyLewen
c9ba460a9b docs(vuln): remove OSV for Python from data sources (#8841) 2025-05-07 11:52:19 +00:00
Teppei Fukuda
2a21fd8cac chore: add an issue template for maintainers (#8838) 2025-05-07 07:10:31 +00:00
Matthieu MOREL
3b1426a676 chore: enable staticcheck (#8815) 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
 2025-05-07 06:15:35 +00:00
Aqua Security automated builds
679153950c ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836) 
Co-authored-by: GitHub Actions <actions@github.com>
 2025-05-07 04:59:52 +00:00
oneum20
dd6a6e50a4 feat(license): scan vendor directory for license for go.mod files (#8689) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-05-06 13:13:49 +00:00
Ashwani Kumar Kamal
3bf4f44931 docs(java): Update info about dev deps in gradle lock (#8830) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-05-06 12:39:07 +00:00
dependabot[bot]
2ab8ae9291 chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-05 16:19:03 +00:00
Ashwani Kumar Kamal
8995838e8d fix(java): exclude dev dependencies in gradle lockfile (#8803) 2025-05-05 14:00:15 +00:00
Matthieu MOREL
a19e0aa1ba fix: octalLiteral from go-critic (#8811) 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
 2025-05-05 13:49:07 +00:00
Teppei Fukuda
fa1077bbf5 fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818) 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-05-05 11:25:54 +00:00
dependabot[bot]
e322f212a5 chore(deps): bump the common group across 1 directory with 10 updates (#8817) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-05-05 06:58:52 +00:00
Matthieu MOREL
883c63bf29 fix: use-any from revive (#8810) 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
 2025-05-05 06:35:29 +00:00
Matthieu MOREL
3ab459e3b6 fix: more revive rules (#8814) 
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
 2025-05-05 05:50:37 +00:00
Tudor
296eb3c814 docs: change in java.md: fix the Trity -to-> Trivy typo (#8813) 2025-05-02 19:04:49 +00:00
Nikita Pivkin
5706603146 fix(misconf): check if for-each is known when expanding dyn block (#8808) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-05-02 01:43:59 +00:00
Aqua Security automated builds
6e23ca96d1 ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802) 
Co-authored-by: GitHub Actions <actions@github.com>
 2025-04-30 18:47:24 +00:00
274 changed files with 8541 additions and 2780 deletions
Expand all files Collapse all files

11
.github/ISSUE_TEMPLATE/maintainer.md vendored Normal file
View File

@@ -0,0 +1,11 @@
---
name: Maintainer
about: Create an issue by maintainers
title: ''
labels: ''
assignees: ''
---
## Are you a maintainer of the Trivy project?
If not, please open [a discussion](https://github.com/aquasecurity/trivy/discussions); if you are, please review [the guideline](https://trivy.dev/latest/community/contribute/discussion/).

6
.github/workflows/semantic-pr.yaml vendored
View File

@@ -63,8 +63,10 @@ jobs:
amazon
suse
photon
echo
distroless
windows
minimos
# Languages
ruby
@@ -121,7 +123,7 @@ jobs:
# Convert env vars to regex alternatives, excluding comments and empty lines
TYPES_REGEX=$(echo "$VALID_TYPES" | grep -v '^$' | paste -sd '|')
SCOPES_REGEX=$(echo "$VALID_SCOPES" | grep -v '^$' | grep -v '^#' | paste -sd '|')
# Basic format check (should match: type(scope): description or type: description)
FORMAT_REGEX="^[a-z]+(\([a-z0-9+]+\))?!?: .+$"
if ! echo "$PR_TITLE" | grep -qE "$FORMAT_REGEX"; then
@@ -158,6 +160,6 @@ jobs:
exit 1
fi
fi
echo "PR title validation passed ✅"
echo "Current title: $PR_TITLE"

48
.golangci.yaml
View File

@@ -25,16 +25,15 @@ linters:
gocritic:
disabled-checks:
- appendAssign
- unnamedResult
- whyNoLint
- commentedOutCode
- hugeParam
- importShadow # FIXME
- indexAlloc
- octalLiteral
- hugeParam
- rangeValCopy
- regexpSimplify
- sloppyReassign
- commentedOutCode
- unnamedResult
- whyNoLint
enabled-tags:
- diagnostic
- style
@@ -91,16 +90,44 @@ linters:
max-open-files: 2048
# https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
rules:
- name: bool-literal-in-expr
- name: context-as-argument
arguments:
- allowTypesBefore: "*testing.T"
- name: duplicated-imports
- name: early-return
arguments:
- preserve-scope
- name: if-return
- name: increment-decrement
- name: indent-error-flow
arguments:
- preserve-scope
- name: range
- name: range-val-address
- name: superfluous-else
arguments:
- preserve-scope
- name: time-equal
- name: unnecessary-stmt
- name: unused-parameter
- name: use-any
staticcheck:
checks:
- all
- -QF1008 # Omit embedded fields from selector expression
- -S1007 # Simplify regular expression by using raw string literal
- -S1011 # Use a single append to concatenate two slices
- -S1023 # Omit redundant control flow
- -SA1019 # Using a deprecated function, variable, constant or field
- -SA1024 # A string cutset contains duplicate characters
- -SA4004 # The loop exits unconditionally after one iteration
- -SA4023 # Impossible comparison of interface value with untyped nil
- -SA4032 # Comparing runtime.GOOS or runtime.GOARCH against impossible value
- -SA5011 # Possible nil pointer dereference
- -ST1003 # Poorly chosen identifier
- -ST1012 # Poorly chosen name for error variable
testifylint:
enable-all: true
@@ -120,6 +147,7 @@ linters:
- misspell
- perfsprint
- revive
- staticcheck
- testifylint
- unconvert
- unused
@@ -129,7 +157,6 @@ linters:
exclusions:
generated: lax
paths:
- "examples/*"
- "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
rules:
- path: ".*_test.go$"
@@ -153,9 +180,6 @@ linters:
linters:
- gocritic
text: "importShadow:"
- linters:
- perfsprint
text: "fmt.Sprint"
- linters:
- goconst
text: "string `each` has 3 occurrences, make it a constant" # FIXME
@@ -177,9 +201,6 @@ formatters:
exclusions:
generated: lax
paths:
- examples/*
- pkg/iac/scanners/terraform/parser/funcs # copies of Terraform functions
settings:
gci:
@@ -191,8 +212,5 @@ formatters:
- dot
gofmt:
simplify: false
rewrite-rules:
- pattern: interface{}
replacement: any
version: "2"

2
.release-please-manifest.json
View File

@@ -1 +1 @@
{".":"0.62.1"}
{".":"0.63.0"}

50
CHANGELOG.md
View File

@@ -1,12 +1,56 @@
# Changelog
## [0.62.1](https://github.com/aquasecurity/trivy/compare/v0.62.0...v0.62.1) (2025-05-06)
## [0.63.0](https://github.com/aquasecurity/trivy/compare/v0.62.0...v0.63.0) (2025-05-29)
### Features
* add Bottlerocket OS package analyzer ([#8653](https://github.com/aquasecurity/trivy/issues/8653)) ([07ef63b](https://github.com/aquasecurity/trivy/commit/07ef63b4830f9f3d791a07433287a99118d7590a))
* add JSONC support for comments and trailing commas ([#8862](https://github.com/aquasecurity/trivy/issues/8862)) ([0b0e406](https://github.com/aquasecurity/trivy/commit/0b0e4061ef955efc0f94280d2d390f11ff6e2409))
* **alpine:** add maintainer field extraction for APK packages ([#8930](https://github.com/aquasecurity/trivy/issues/8930)) ([104bbc1](https://github.com/aquasecurity/trivy/commit/104bbc18ea85caec17125296dc4fe2dea9c49826))
* **cli:** Add available version checking ([#8553](https://github.com/aquasecurity/trivy/issues/8553)) ([5a0bf9e](https://github.com/aquasecurity/trivy/commit/5a0bf9ed31ad34248895e69231da602935e66785))
* **echo:** Add Echo Support ([#8833](https://github.com/aquasecurity/trivy/issues/8833)) ([c7b8cc3](https://github.com/aquasecurity/trivy/commit/c7b8cc392eb28eb63e10561cf1ff7991e5e3c548))
* **go:** support license scanning in both GOPATH and vendor ([#8843](https://github.com/aquasecurity/trivy/issues/8843)) ([26437be](https://github.com/aquasecurity/trivy/commit/26437be083960d17bee8b1b37b8a6780eff07981))
* **k8s:** get components from namespaced resources ([#8918](https://github.com/aquasecurity/trivy/issues/8918)) ([4f1ab23](https://github.com/aquasecurity/trivy/commit/4f1ab238693919772a65450de9fb9fb2f873c0d6))
* **license:** improve work text licenses with custom classification ([#8888](https://github.com/aquasecurity/trivy/issues/8888)) ([ee52230](https://github.com/aquasecurity/trivy/commit/ee522300b73a2afc72829fc2fa7ff419712fc89a))
* **license:** improve work with custom classification of licenses from config file ([#8861](https://github.com/aquasecurity/trivy/issues/8861)) ([c321fdf](https://github.com/aquasecurity/trivy/commit/c321fdfcdd58f34d076fc730e2b63fdd13e426a9))
* **license:** scan vendor directory for license for go.mod files ([#8689](https://github.com/aquasecurity/trivy/issues/8689)) ([dd6a6e5](https://github.com/aquasecurity/trivy/commit/dd6a6e50a44b7b543fd9dba634da599a76650acb))
* **license:** Support compound licenses (licenses using SPDX operators) ([#8816](https://github.com/aquasecurity/trivy/issues/8816)) ([39f9ed1](https://github.com/aquasecurity/trivy/commit/39f9ed128b2c0fb599ad9092a3cf5675106bffdc))
* **minimos:** Add support for MinimOS ([#8792](https://github.com/aquasecurity/trivy/issues/8792)) ([c2dde33](https://github.com/aquasecurity/trivy/commit/c2dde33c3f19d499258a7089d7658a9f90722acf))
* **misconf:** add misconfiguration location to junit template ([#8793](https://github.com/aquasecurity/trivy/issues/8793)) ([a516775](https://github.com/aquasecurity/trivy/commit/a516775da6fda92a55a62418a081561127a1d5ca))
* **misconf:** Add support for `Minimum Trivy Version` ([#8880](https://github.com/aquasecurity/trivy/issues/8880)) ([3b2a397](https://github.com/aquasecurity/trivy/commit/3b2a3976ac7e7785828655903b132e84ebd9d727))
* **misconf:** export raw Terraform data to Rego ([#8741](https://github.com/aquasecurity/trivy/issues/8741)) ([aaecc29](https://github.com/aquasecurity/trivy/commit/aaecc29e909db4d5dac03caa0daf223035bfb877))
* **nodejs:** add a bun.lock analyzer ([#8897](https://github.com/aquasecurity/trivy/issues/8897)) ([7ca656d](https://github.com/aquasecurity/trivy/commit/7ca656d54b99346253fc6ac6422eecaca169514e))
* **nodejs:** add bun.lock parser ([#8851](https://github.com/aquasecurity/trivy/issues/8851)) ([1dcf816](https://github.com/aquasecurity/trivy/commit/1dcf81666f1c814600702b9ab603b4070da0b940))
* terraform parser option to set current working directory ([#8909](https://github.com/aquasecurity/trivy/issues/8909)) ([8939451](https://github.com/aquasecurity/trivy/commit/893945117464bf6e090a55e3822f8299825f26d4))
### Bug Fixes
* **misconf:** check if for-each is known when expanding dyn block [backport: release/v0.62] ([#8826](https://github.com/aquasecurity/trivy/issues/8826)) ([99485cf](https://github.com/aquasecurity/trivy/commit/99485cfea2de53570342901eac860afdaacce86f))
* **redhat:** trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] ([#8824](https://github.com/aquasecurity/trivy/issues/8824)) ([b4fc9e8](https://github.com/aquasecurity/trivy/commit/b4fc9e8ca1ff77a2795ffa47d0fc53cecd0e1bbd))
* check post-analyzers for StaticPaths ([#8904](https://github.com/aquasecurity/trivy/issues/8904)) ([93e6680](https://github.com/aquasecurity/trivy/commit/93e6680b1c6bbb590157f521c667c0f611775143))
* **cli:** disable `--skip-dir` and `--skip-files` flags for `sbom` command ([#8886](https://github.com/aquasecurity/trivy/issues/8886)) ([69a5fa1](https://github.com/aquasecurity/trivy/commit/69a5fa18ca86ff7e5206abacf98732d46c000c7a))
* **cli:** don't use allow values for `--compliance` flag ([#8881](https://github.com/aquasecurity/trivy/issues/8881)) ([35e8889](https://github.com/aquasecurity/trivy/commit/35e88890c3c201b3eb11f95376172e57bf44df4b))
* filter all files when processing files installed from package managers ([#8842](https://github.com/aquasecurity/trivy/issues/8842)) ([6ebde88](https://github.com/aquasecurity/trivy/commit/6ebde88dbcaf22f25932bad4844b3c9eaca90560))
* **java:** exclude dev dependencies in gradle lockfile ([#8803](https://github.com/aquasecurity/trivy/issues/8803)) ([8995838](https://github.com/aquasecurity/trivy/commit/8995838e8d184ee9178d5b52d2d3fa9b4e403015))
* julia parser panicing ([#8883](https://github.com/aquasecurity/trivy/issues/8883)) ([be8c7b7](https://github.com/aquasecurity/trivy/commit/be8c7b796dbe36d8dc3889e0bdea23336de9a1ab))
* **julia:** add `Relationship` field support ([#8939](https://github.com/aquasecurity/trivy/issues/8939)) ([22f040f](https://github.com/aquasecurity/trivy/commit/22f040f94790060132c7b0a635f44c35d5a35fb6))
* **k8s:** use in-memory cache backend during misconfig scanning ([#8873](https://github.com/aquasecurity/trivy/issues/8873)) ([fe12771](https://github.com/aquasecurity/trivy/commit/fe127715e505d753e0d878d52c5f280cdc326b76))
* **misconf:** check if for-each is known when expanding dyn block ([#8808](https://github.com/aquasecurity/trivy/issues/8808)) ([5706603](https://github.com/aquasecurity/trivy/commit/570660314698472ab831a7e0d55044e0b1e9c6c0))
* **misconf:** use argument value in WithIncludeDeprecatedChecks ([#8942](https://github.com/aquasecurity/trivy/issues/8942)) ([7e9a54c](https://github.com/aquasecurity/trivy/commit/7e9a54cd6bf4bc15e485c6233d140b389e432fe5))
* more revive rules ([#8814](https://github.com/aquasecurity/trivy/issues/8814)) ([3ab459e](https://github.com/aquasecurity/trivy/commit/3ab459e3b674f319bf349d478917a531a69754c0))
* octalLiteral from go-critic ([#8811](https://github.com/aquasecurity/trivy/issues/8811)) ([a19e0aa](https://github.com/aquasecurity/trivy/commit/a19e0aa1ba0350198c898fd57c9405fbf38fa432))
* **redhat:** Also try to find buildinfo in root layer (layer 0) ([#8924](https://github.com/aquasecurity/trivy/issues/8924)) ([906b037](https://github.com/aquasecurity/trivy/commit/906b037cff97060267d20f8947f429e078419d66))
* **redhat:** save contentSets for OS packages in fs/vm modes ([#8820](https://github.com/aquasecurity/trivy/issues/8820)) ([9256804](https://github.com/aquasecurity/trivy/commit/9256804df8577d8a746fb8b97c508c247ab82f8f))
* **redhat:** trim invalid suffix from content_sets in manifest parsing ([#8818](https://github.com/aquasecurity/trivy/issues/8818)) ([fa1077b](https://github.com/aquasecurity/trivy/commit/fa1077bbf5863a519f6f180a600afe5e2d6180d8))
* **server:** add missed Relationship field for `rpc` ([#8872](https://github.com/aquasecurity/trivy/issues/8872)) ([38f17c9](https://github.com/aquasecurity/trivy/commit/38f17c945e3ef7784607037c0457fb1e06a99959))
* use-any from revive ([#8810](https://github.com/aquasecurity/trivy/issues/8810)) ([883c63b](https://github.com/aquasecurity/trivy/commit/883c63bf29568f0feab37e5d36ae1c417eef88f5))
* **vex:** use `lo.IsNil` to check `VEX` from OCI artifact ([#8858](https://github.com/aquasecurity/trivy/issues/8858)) ([e97af98](https://github.com/aquasecurity/trivy/commit/e97af9806ab13e1ec8b792e0586b486c4982c170))
* **wolfi:** support new APK database location ([#8937](https://github.com/aquasecurity/trivy/issues/8937)) ([b15d9a6](https://github.com/aquasecurity/trivy/commit/b15d9a60e6a3ed40811d5ca6387082266ae92ea7))
### Performance Improvements
* **secret:** only match secrets of meaningful length, allow example strings to not be matched ([#8602](https://github.com/aquasecurity/trivy/issues/8602)) ([60fef1b](https://github.com/aquasecurity/trivy/commit/60fef1b615a765248c5870b814ba0c4345220c0e))
## [0.62.0](https://github.com/aquasecurity/trivy/compare/v0.61.0...v0.62.0) (2025-04-30)

5
cmd/trivy/main.go
View File

@@ -42,8 +42,5 @@ func run() error {
}
app := commands.NewApp()
if err := app.Execute(); err != nil {
return err
}
return nil
return app.Execute()
}

19
contrib/junit.tpl
View File

@@ -15,6 +15,7 @@
{{- end }}
</testsuite>
{{- $target := .Target }}
{{- if .MisconfSummary }}
<testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}" failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" time="">
{{- else }}
@@ -28,7 +29,23 @@
{{ range .Misconfigurations }}
<testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
{{- if (eq .Status "FAIL") }}
<failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
<failure message="{{ escapeXML .Title }}" type="description">&#xA;
{{- $target }}:
{{- with .CauseMetadata }}
{{- .StartLine }}
{{- if lt .StartLine .EndLine }}:{{ .EndLine }}{{ end }}:&#xA;&#xA;Occurrences:&#xA;
{{- range $i := .Occurrences -}}
via {{ .Filename }}:
{{- .Location.StartLine }}
{{- if lt .Location.StartLine .Location.EndLine }}:{{ .Location.EndLine }}{{ end }} ({{ .Resource }})&#xA;
{{- end -}}
&#xA;Code:&#xA;
{{- range .Code.Lines }}
{{- if .IsCause }}{{ escapeXML .Content }}&#xA;{{- end }}
{{- end }}&#xA;
{{- end }}
{{- escapeXML .Description }}
</failure>
{{- end }}
</testcase>
{{- end }}

5
docs/docs/advanced/air-gap.md
View File

@@ -75,3 +75,8 @@ Trivy might attempt to connect (over HTTPS) to the following URLs:
### Offline mode
There's no way to leverage Maven Central in a network-restricted environment, but you can prevent Trivy from trying to connect to it by using the `--offline-scan` flag.
## Check updates service
Trivy [checks for updates](../configuration/others.md#check-for-updates) and [collects usage telemetry](../advanced/telemetry.md) by connecting to the following domain: `https://check.trivy.dev`.
Connectivity with this domain is entirely optional and is not necessary for the normal operation of Trivy.

2
docs/docs/advanced/container/unpacked-filesystem.md
View File

@@ -113,4 +113,4 @@ Total: 20 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 8, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
```
</details>
</details>

33
docs/docs/advanced/telemetry.md Normal file
View File

@@ -0,0 +1,33 @@
# Usage Telemetry
Trivy collect anonymous usage data in order to help us improve the product. This document explains what is collected and how you can control it.
## Data collected
The following information could be collected:
- Environmental information
- Installation identifier
- Trivy version
- Operating system
- Scan
- Non-revealing scan options
## Privacy
No personal information, scan results, or sensitive data is specifically collected. We take the following measures to ensure that:
- Installation identifier: one-way hash of machine fingerprint, resulting in opaque string.
- Scaner: any option that is user controlled is omitted (never collected). For example, file paths, image names, etc are never collected.
Trivy is an Aqua Security product and adheres to the company's privacy policy: <https://aquasec.com/privacy>.
## Disabling telemetry
You can disable telemetry altogether using the `--disable-telemetry` flag. Like other Trivy flags, this can be set on the command line, YAML configuration file, or environment variable. For more details see [here](../configuration/index.md).
For example:
```bash
trivy image --disable-metrics alpine
```

11
docs/docs/configuration/others.md
View File

@@ -160,3 +160,14 @@ When we want to get the image `alpine` with the settings above. The logic will b
1. Try to get the image from `mirror.with.bad.auth/library/alpine`, but we get an error because there are no credentials for this registry.
2. Try to get the image from `mirror.without.image/library/alpine`, but we get an error because this registry doesn't have this image (but most likely it will be an error about authorization).
3. Get the image from `index.docker.io` (the original registry).
## Check for updates
Trivy periodically checks for updates and notices, and displays a message to the user with recommendations.
Updates checking is non-blocking and has no impact on scanning time, performance, results, or any user experience aspect besides displaying the message.
You can disable updates checking by specifying the `--skip-version-check` flag.
## Telemetry
Trivy collected usage data for product improvement. More details in the [Telemetry document](../advanced/telemetry.md).
You can disable telemetry collection using the `--disable-telemetry` flag.

144
docs/docs/configuration/skipping.md
View File

@@ -1,8 +1,22 @@
# Skipping Files and Directories
# Selecting files for scanning
This section details ways to specify the files and directories that Trivy should not scan.
When scanning a target (image, code repository, etc), Trivy traverses all directories and files in that target and looks for known files to scan. For example, vulnerability scanner might look for `/lib/apk/db/installed` for Alpine APK scanning or `requirements.txt` file for Python pip scanning, and misconfiguration scanner might look for `Dockerfile` for Dockerfile scanning. This document explains how to control which files Trivy looks (including skipping files) for and how it should process them.
!!! note
Selecting/skipping files is different from filtering/ignoring results, which is covered in the [Filtering document](./filtering.md)
## Skip Files and Directories
You can skip specific files and directories using the `--skip-files` and `--skip-dirs` flags.
For example:
```bash
trivy image --skip-files "/Gemfile.lock" --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
This feature is relevant for the following scanners:
## Skip Files
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
@@ -10,89 +24,58 @@ This section details ways to specify the files and directories that Trivy should
| Secret | ✓ |
| License | ✓ |
By default, Trivy traverses directories and searches for all necessary files for scanning.
You can skip files that you don't maintain using the `--skip-files` flag, or the equivalent Trivy YAML config option.
It's possible to specify glob patterns when referring to a file or directory. The glob expression follows the ["doublestar" library syntax](https://pkg.go.dev/github.com/bmatcuk/doublestar/v4@v4.8.1#readme-patterns).
Examples:
Using the `--skip-files` flag:
```bash
$ trivy image --skip-files "/Gemfile.lock" --skip-files "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
# skip any file named `bar` in the subdirectories of testdata
trivy image --skip-files "./testdata/*/bar" .
```
Using the Trivy YAML configuration:
```bash
# skip any files with the extension `.tf` in subdirectories of foo at any depth
trivy config --skip-files "./foo/**/*.tf" .
```
```bash
# skip all subdirectories of the testdata directory.
trivy image --skip-dirs "./testdata/*" .
```
```bash
# skip subdirectories at any depth named `.terraform/`.
# this will match `./foo/.terraform` or `./foo/bar/.terraform`, but not `./.terraform`
trivy config --skip-dirs "**/.terraform" .
```
Like any other flag, this is available as Trivy YAML configuration.
For example:
```yaml
image:
skip-files:
- foo
- "testdata/*/bar"
```
It's possible to specify globs as part of the value.
```bash
$ trivy image --skip-files "./testdata/*/bar" .
```
This will skip any file named `bar` in the subdirectories of testdata.
```bash
$ trivy config --skip-files "./foo/**/*.tf" .
```
This will skip any files with the extension `.tf` in subdirectories of foo at any depth.
## Skip Directories
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | ✓ |
By default, Trivy traverses directories and searches for all necessary files for scanning.
You can skip directories that you don't maintain using the `--skip-dirs` flag, or the equivalent Trivy YAML config option.
Using the `--skip-dirs` flag:
```bash
$ trivy image --skip-dirs /var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13 --skip-dirs "/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0" quay.io/fluentd_elasticsearch/fluentd:v2.9.0
```
Using the Trivy YAML configuration:
```yaml
image:
skip-dirs:
- foo/bar/
- "**/.terraform"
```
It's possible to specify globs as part of the value.
## Customizing file handling
You can customize which files Trivy scans and how it interprets them with the `--file-patterns` flag.
A file pattern configuration takes the following form: `<analyzer>:<path>`, such that files matching the `<path>` will be processed with the respective `<analyzer>`.
For example:
```bash
$ trivy image --skip-dirs "./testdata/*" .
trivy fs --file-patterns "pip:.requirements-test.txt ."
```
This will skip all subdirectories of the testdata directory.
This feature is relevant for the following scanners:
```bash
$ trivy config --skip-dirs "**/.terraform" .
```
This will skip subdirectories at any depth named `.terraform/`. (Note: this will match `./foo/.terraform` or
`./foo/bar/.terraform`, but not `./.terraform`.)
!!! tip
Glob patterns work with any trivy subcommand (image, config, etc.) and can be specified to skip both directories (with `--skip-dirs`) and files (with `--skip-files`).
### Advanced globbing
Trivy also supports bash style [extended](https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Pattern-Matching) glob pattern matching.
```bash
$ trivy image --skip-files "**/foo" image:tag
```
This will skip the file `foo` that happens to be nested under any parent(s).
## File patterns
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
@@ -100,20 +83,27 @@ This will skip the file `foo` that happens to be nested under any parent(s).
| Secret | |
| License | ✓[^1] |
When a directory is given as an input, Trivy will recursively look for and test all files based on file patterns.
The default file patterns are [here](../scanner/misconfiguration/custom/index.md).
The list of analyzers can be found [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go).
Note that this flag is not applicable for parsers that accepts files of different extensions, for example the Terraform file parser which handles .tf and .tf.json files.
In addition to the default file patterns, the `--file-patterns` option takes regexp patterns to look for your files.
For example, it may be useful when your file name of Dockerfile doesn't match the default patterns.
This can be repeated for specifying multiple file patterns.
The file path can use a [regular expression](https://pkg.go.dev/regexp/syntax). For example:
A file pattern contains the analyzer it is used for, and the pattern itself, joined by a semicolon. For example:
```
--file-patterns "dockerfile:.*.docker" --file-patterns "kubernetes:*.tpl" --file-patterns "pip:requirements-.*\.txt"
```bash
# interpret any file with .txt extension as a python pip requirements file
trivy fs --file-patterns "pip:requirements-.*\.txt .
```
The prefixes are listed [here](https://github.com/aquasecurity/trivy/tree/{{ git.commit }}/pkg/fanal/analyzer/const.go)
The flag can be repeated for specifying multiple file patterns. For example:
```bash
# look for Dockerfile called production.docker and a python pip requirements file called requirements-test.txt
trivy fs --scanners misconfig,vuln --file-patterns "dockerfile:.production.docker" --file-patterns "pip:.requirements-test.txt ."
```
[^1]: Only work with the [license-full](../scanner/license.md) flag)
[^1]: Only work with the [license-full](../scanner/license.md) flag
## Avoid full filesystem traversal
In specific scenarios Trivy can avoid traversing the entire filesystem, which makes scanning faster and more efficient.
For more information see [here](../target/rootfs.md#performance-optimization)

5
docs/docs/coverage/language/golang.md
View File

@@ -82,8 +82,9 @@ It possibly produces false positives.
See [the caveat](#stdlib-vulnerabilities) for details.
### License
To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, etc.
Trivy traverses `$GOPATH/pkg/mod` and collects those extra information.
To identify licenses, you need to download modules to local cache beforehand, such as `go mod download`, `go mod tidy`, `go mod vendor`, etc.
If the `vendor` directory exists, Trivy uses this directory when scanning for license files.
For other cases Trivy traverses `$GOPATH/pkg/mod`dir and collects those extra information.
### Dependency Graph
Same as licenses, you need to download modules to local cache beforehand.

1
docs/docs/coverage/language/index.md
View File

@@ -31,6 +31,7 @@ On the other hand, when the target is a post-build artifact, like a container im
| [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ |
| | yarn.lock | - | - | ✅ | ✅ |
| | pnpm-lock.yaml | - | - | ✅ | ✅ |
| | bun.lock | - | - | ✅ | ✅ |
| | package.json | ✅ | ✅ | - | - |
| [.NET](dotnet.md) | packages.lock.json | ✅ | ✅ | ✅ | ✅ |
| | packages.config | ✅ | ✅ | ✅ | ✅ |

17
docs/docs/coverage/language/java.md
View File

@@ -12,12 +12,12 @@ Each artifact supports the following scanners:
The following table provides an outline of the features Trivy offers.
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - |
| *gradle.lockfile | - | Exclude | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|------------------|:---------------------:|:----------------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
| pom.xml | Maven repository [^1] | Exclude | ✓ | ✓[^7] | - |
| *gradle.lockfile | - | [Exclude](#gradlelock) | ✓ | ✓ | Not needed |
| *.sbt.lock | - | Exclude | - | ✓ | Not needed |
These may be enabled or disabled depending on the target.
See [here](./index.md) for the detail.
@@ -96,6 +96,9 @@ If you need to show them, use the `--include-dev-deps` flag.
!!!note
All necessary files are checked locally. Gradle file scanning doesn't require internet access.
By default, Trivy doesn't report development dependencies.
Use the `--include-dev-deps` flag to include them in the results.
### Dependency-tree
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
@@ -105,7 +108,7 @@ But there is no reliable way to determine direct dependencies (even using other
Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
### Licenses
Trity also can detect licenses for dependencies.
Trivy also can detect licenses for dependencies.
Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.

10
docs/docs/coverage/language/nodejs.md
View File

@@ -18,7 +18,7 @@ The following table provides an outline of the features Trivy offers.
| npm | package-lock.json | ✓ | [Excluded](#npm) | ✓ | ✓ |
| Yarn | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ |
| pnpm | pnpm-lock.yaml | ✓ | [Excluded](#lock-file-v9-version) | ✓ | - |
| Bun | yarn.lock | ✓ | [Excluded](#yarn) | ✓ | ✓ |
| Bun | bun.lock | ✓ | [Excluded](#bun) | ✓ | ✓ |
In addition, Trivy scans installed packages with `package.json`.
@@ -72,7 +72,13 @@ To identify licenses, you need to download dependencies to `node_modules` before
Trivy supports `Dev` field for `pnpm-lock.yaml` v9 or later. Use the `--include-dev-deps` flag to include the developer's dependencies in the result.
### Bun
Trivy supports scanning `yarn.lock` files generated by [Bun](https://bun.sh/docs/install/lockfile#how-do-i-inspect-bun-s-lockfile). You can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock`.
Trivy also supports scanning `bun.lock` file generated by [Bun](https://bun.sh/blog/bun-lock-text-lockfile).
You can use Bun v1.2 which uses this file as default or use `bun install --save-text-lockfile` in Bun v1.1.39 to generate it.
For previous Bun versions you can use the command `bun install -y` to generate a Yarn-compatible `yarn.lock` and then scan it with Trivy.
#### Development dependencies
`bun.lock` contains information about package groups, such as production and development dependencies. By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
!!! note
`bun.lockb` is not supported.

15
docs/docs/coverage/os/bottlerocket.md Normal file
View File

@@ -0,0 +1,15 @@
# Bottlerocket
Trivy supports the following scanners for OS packages.
| Scanner | Supported |
| :-----------: | :-------: |
| SBOM | ✓ |
| Vulnerability | - |
| License | - |
Please see [here](index.md#supported-os) for supported versions.
## SBOM
Trivy detects packages that are listed in the [software inventory].
[software inventory]: https://bottlerocket.dev/en/os/1.37.x/concepts/variants/#software-inventory

30
docs/docs/coverage/os/echo.md Normal file
View File

@@ -0,0 +1,30 @@
# Echo
Trivy supports these scanners for OS packages.
| Scanner | Supported |
| :-----------: | :-------: |
| SBOM | ✓ |
| Vulnerability | ✓ |
| License | ✓ |
The table below outlines the features offered by Trivy.
| Feature | Supported |
|:------------------------------------:|:---------:|
| Unfixed vulnerabilities | ✓ |
| [Dependency graph][dependency-graph] | ✓ |
## SBOM
Same as [Debian](debian.md#sbom).
## Vulnerability
Echo offers its own security advisories, and these are utilized when scanning Echo for vulnerabilities.
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
## License
Same as [Debian](debian.md#license).
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
[advisory]: https://advisory.echohq.com/data.json

3
docs/docs/coverage/os/index.md
View File

@@ -14,6 +14,7 @@ Trivy supports operating systems for
| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.21, edge | apk |
| [Wolfi Linux](wolfi.md) | (n/a) | apk |
| [Chainguard](chainguard.md) | (n/a) | apk |
| [MinimOS](minimos.md) | (n/a) | apk |
| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm |
| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm |
| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm |
@@ -26,8 +27,10 @@ Trivy supports operating systems for
| [SUSE Linux Enterprise](suse.md) | 11, 12, 15 | zypper/rpm |
| [SUSE Linux Enterprise Micro](suse.md)| 5, 6 | zypper/rpm |
| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm |
| [Echo](echo.md) | (n/a) | apt/dpkg |
| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg |
| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg |
| [Bottlerocket](bottlerocket.md) | 1.7.0 and upper | bottlerocket |
| [OSs with installed Conda](../others/conda.md) | - | conda |
## Supported container images

30
docs/docs/coverage/os/minimos.md Normal file
View File

@@ -0,0 +1,30 @@
# MinimOS
Trivy supports these scanners for OS packages.
| Scanner | Supported |
| :-----------: | :-------: |
| SBOM | ✓ |
| Vulnerability | ✓ |
| License | ✓ |
The table below outlines the features offered by Trivy.
| Feature | Supported |
|:------------------------------------:|:---------:|
| Detect unfixed vulnerabilities | - |
| [Dependency graph][dependency-graph] | ✓ |
## SBOM
Same as [Alpine Linux](alpine.md#sbom).
## Vulnerability
MinimOS offers its own security advisories, and these are utilized when scanning MinimOS for vulnerabilities.
Everything else is the same as [Alpine Linux](alpine.md#vulnerability).
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
## License
Same as [Alpine Linux](alpine.md#license).
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

9
docs/docs/coverage/os/rhel.md
View File

@@ -22,6 +22,13 @@ Trivy detects packages that have been installed through package managers such as
## Vulnerability
Red Hat offers its own security advisories, and these are utilized when scanning Red Hat Enterprise Linux (RHEL) for vulnerabilities.
### Content manifests
Red Hats security advisories use CPEs to identify product sets. For example, even packages installed in the same container image can have different CPEs.
For this reason, Red Hats container images include stored content manifests, which we convert to CPEs, and perform vulnerability scanning.
Since this system ties each content manifest to its packages on a per-layer basis,
if layers get merged (for instance, by using `docker run` or `docker export`) we can no longer determine the correct CPE, which may lead to false detection.
### Data Source
See [here](../../scanner/vulnerability.md#data-sources).
@@ -82,3 +89,5 @@ Trivy identifies licenses by examining the metadata of RPM packages.
[NVD]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
[vulnerability statuses]: ../../configuration/filtering.md#by-status
[content-set-default]: https://github.com/aquasecurity/trivy/blob/c80310d7690d8aeb7d3d77416c18c0c8b9aebe17/pkg/detector/ospkg/redhat/redhat.go#L25-L42

1
docs/docs/references/configuration/cli/trivy_config.md
View File

@@ -51,6 +51,7 @@ trivy config [flags] DIR
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--password strings password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
--password-stdin password from stdin. Comma-separated passwords are not supported.
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend

7
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -35,6 +35,7 @@ trivy filesystem [flags] PATH
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -75,7 +76,7 @@ trivy filesystem [flags] PATH
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
@@ -99,6 +100,7 @@ trivy filesystem [flags] PATH
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -125,6 +127,7 @@ trivy filesystem [flags] PATH
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
@@ -164,6 +167,8 @@ trivy filesystem [flags] PATH
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```

7
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -38,7 +38,7 @@ trivy image [flags] IMAGE_NAME
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate (allowed values: docker-cis-1.6.0)
--compliance string compliance report to generate (built-in compliance's: docker-cis-1.6.0)
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
@@ -49,6 +49,7 @@ trivy image [flags] IMAGE_NAME
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--docker-host string unix domain socket path to use for docker scanning
--download-db-only download/update vulnerability database but don't run a scan
@@ -120,6 +121,7 @@ trivy image [flags] IMAGE_NAME
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--platform string set platform in the form os/arch if image is multi-platform capable
--podman-host string unix podman socket path to use for podman scanning
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -147,6 +149,7 @@ trivy image [flags] IMAGE_NAME
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
@@ -185,6 +188,8 @@ trivy image [flags] IMAGE_NAME
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```

7
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -35,7 +35,7 @@ trivy kubernetes [flags] [CONTEXT]
--check-namespaces strings Rego namespaces
--checks-bundle-repository string OCI registry URL to retrieve checks bundle from (default "mirror.gcr.io/aquasec/trivy-checks:1")
--compliance string compliance report to generate
Allowed values:
Built-in compliance's:
- k8s-nsa-1.0
- k8s-cis-1.23
- eks-cis-1.4
@@ -52,6 +52,7 @@ trivy kubernetes [flags] [CONTEXT]
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -111,6 +112,7 @@ trivy kubernetes [flags] [CONTEXT]
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--qps float specify the maximum QPS to the master from this client (default 5)
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -137,6 +139,7 @@ trivy kubernetes [flags] [CONTEXT]
--skip-files strings specify the files or glob patterns to skip
--skip-images skip the downloading and scanning of images (vulnerabilities and secrets) in the cluster resources
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
-t, --template string output template
--tf-exclude-downloaded-modules exclude misconfigurations for downloaded terraform modules
@@ -173,6 +176,8 @@ trivy kubernetes [flags] [CONTEXT]
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```

7
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -35,6 +35,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
@@ -74,7 +75,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-dev-deps include development dependencies in the report (supported: npm, yarn, gradle)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
@@ -98,6 +99,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -123,6 +125,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
--tag string pass the tag name to be scanned
@@ -163,6 +166,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```

5
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -37,6 +37,7 @@ trivy rootfs [flags] ROOTDIR
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -101,6 +102,7 @@ trivy rootfs [flags] ROOTDIR
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -126,6 +128,7 @@ trivy rootfs [flags] ROOTDIR
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
@@ -165,6 +168,8 @@ trivy rootfs [flags] ROOTDIR
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```

6
docs/docs/references/configuration/cli/trivy_sbom.md
View File

@@ -29,6 +29,7 @@ trivy sbom [flags] SBOM_PATH
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -98,9 +99,8 @@ trivy sbom [flags] SBOM_PATH
(default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
@@ -137,6 +137,8 @@ trivy sbom [flags] SBOM_PATH
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```

5
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -33,6 +33,7 @@ trivy vm [flags] VM_IMAGE
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(allowed values: precise,comprehensive) (default "precise")
--disable-telemetry disable sending anonymous usage data to Aqua
--distro string [EXPERIMENTAL] specify a distribution, <family>/<version>
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
@@ -91,6 +92,7 @@ trivy vm [flags] VM_IMAGE
- indirect
(default [unknown,root,workspace,direct,indirect])
--pkg-types strings list of package types (allowed values: os,library) (default [os,library])
--raw-config-scanners strings specify the types of scanners that will also scan raw configurations. For example, scanners will scan a non-adapted configuration into a shared state (allowed values: terraform)
--redis-ca string redis ca file location, if using redis as cache backend
--redis-cert string redis certificate file location, if using redis as cache backend
--redis-key string redis key file location, if using redis as cache backend
@@ -114,6 +116,7 @@ trivy vm [flags] VM_IMAGE
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
--skip-java-db-update skip updating Java index database
--skip-version-check suppress notices about version updates and Trivy announcements
--skip-vex-repo-update [EXPERIMENTAL] Skip VEX Repository update
--table-mode strings [EXPERIMENTAL] tables that will be displayed in 'table' format (allowed values: summary,detailed) (default [summary,detailed])
-t, --template string output template
@@ -150,6 +153,8 @@ trivy vm [flags] VM_IMAGE
- chainguard
- bitnami
- govulndb
- echo
- minimos
- auto
(default [auto])
```

9
docs/docs/references/configuration/config-file.md
View File

@@ -409,6 +409,9 @@ misconfiguration:
# Same as '--include-non-failures'
include-non-failures: false
# Same as '--raw-config-scanners'
raw-config-scanners: []
# Same as '--render-cause'
render-cause: []
@@ -583,6 +586,9 @@ scan:
# Same as '--detection-priority'
detection-priority: "precise"
# Same as '--disable-telemetry'
disable-telemetry: false
# Same as '--distro'
distro: ""
@@ -612,6 +618,9 @@ scan:
# Same as '--skip-files'
skip-files: []
# Same as '--skip-version-check'
skip-version-check: false
```
## Secret options

22
docs/docs/scanner/license.md
View File

@@ -342,6 +342,28 @@ license:
permissive: []
```
#### Text licenses
By default, Trivy categorizes a license as UNKNOWN if it cannot determine the license name from the license text.
To define a category for a text license, you need to add license with the `text://` prefix to license classification.
For example:
```yaml
license:
forbidden:
- "text://Text of Apache Software Foundation License"
```
But a text license can by large. So for these cases Trivy supports using `regex` in license classification.
For example:
```yaml
license:
forbidden:
- "text://.* Apache Software .*"
```
!!! note
`regex` is only used for text licenses and can't be used to configure license IDs.
[^1]: See the list of supported language files [here](../coverage/language/index.md).
[^2]: Some lock files require additional files (e.g. files from the cache directory) to detect licenses. Check [coverage][coverage] for more information.

259
docs/docs/scanner/misconfiguration/config/config.md Normal file
View File

@@ -0,0 +1,259 @@
This page describes misconfiguration-specific configuration.
### Enabling a subset of misconfiguration scanners
It's possible to only enable certain misconfiguration scanners if you prefer.
You can do so by passing the `--misconfig-scanners` option.
This flag takes a comma-separated list of configuration scanner types.
```bash
trivy config --misconfig-scanners=terraform,dockerfile .
```
Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
### Loading custom checks
You can load check files or directories including your custom checks using the `--config-check` flag.
This can be repeated for specifying multiple files or directories.
```bash
trivy config --config-check custom-policy/policy --config-check combine/policy --config-check policy.rego --namespaces user myapp
```
You can load checks bundle as OCI Image from a Container Registry using the `--checks-bundle-repository` flag.
```bash
trivy config --checks-bundle-repository myregistry.local/mychecks --namespaces user myapp
```
### Passing custom data
You can pass directories including your custom data through `--data` option.
This can be repeated for specifying multiple directories.
```bash
cd examples/misconf/custom-data
trivy config --config-check ./my-check --data ./data --namespaces user ./configs
```
For more details, see [Custom Data](./custom/data.md).
### Passing namespaces
By default, Trivy evaluates checks defined in `builtin.*`.
If you want to evaluate custom checks in other packages, you have to specify package prefixes through `--namespaces` option.
This can be repeated for specifying multiple packages.
``` bash
trivy config --config-check ./my-check --namespaces main --namespaces user ./configs
```
### Private Terraform registries
Trivy can download Terraform code from private registries.
To pass credentials you must use the `TF_TOKEN_` environment variables.
You cannot use a `.terraformrc` or `terraform.rc` file, these are not supported by trivy yet.
From the Terraform [docs](https://developer.hashicorp.com/terraform/cli/config/config-file#environment-variable-credentials):
> Environment variable names should have the prefix TF_TOKEN_ added to the domain name, with periods encoded as underscores.
> For example, the value of a variable named `TF_TOKEN_app_terraform_io` will be used as a bearer authorization token when the CLI makes service requests to the hostname `app.terraform.io`.
>
> You must convert domain names containing non-ASCII characters to their punycode equivalent with an ACE prefix.
> For example, token credentials for `例えば.com` must be set in a variable called `TF_TOKEN_xn--r8j3dr99h_com`.
>
> Hyphens are also valid within host names but usually invalid as variable names and may be encoded as double underscores.
> For example, you can set a token for the domain name café.fr as TF_TOKEN_xn--caf-dma_fr or TF_TOKEN_xn____caf__dma_fr.
If multiple variables evaluate to the same hostname, Trivy will choose the environment variable name where the dashes have not been encoded as double underscores.
### Filtering resources by inline comments
Trivy supports ignoring misconfigured resources by inline comments for Terraform, CloudFormation and Helm configuration files only.
In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).
The ignore rule must contain one of the possible check IDs that can be found in its metadata: ID, short code or alias. The `id` from the metadata is not case-sensitive, so you can specify, for example, `AVD-AWS-0089` or `avd-aws-0089`.
For example, to ignore a misconfiguration ID `AVD-GCP-0051` in a Terraform HCL file:
```terraform
#trivy:ignore:AVD-GCP-0051
resource "google_container_cluster" "example" {
name = var.cluster_name
location = var.region
}
```
You can add multiple ignores on the same comment line:
```terraform
#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
resource "google_container_cluster" "example" {
name = var.cluster_name
location = var.region
}
```
You can also specify a long ID, which is formed as follows: `<provider>-<service>-<short-code>`.
As an example, consider the following check metadata:
```yaml
# custom:
# id: AVD-AWS-0089
# avd_id: AVD-AWS-0089
# provider: aws
# service: s3
# severity: LOW
# short_code: enable-logging
```
Long ID would look like the following: `aws-s3-enable-logging`.
Example for CloudFromation:
```yaml
AWSTemplateFormatVersion: "2010-09-09"
Resources:
#trivy:ignore:*
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: test-bucket
```
!!!note
Ignore rules for Helm files should be placed before the YAML object, since only it contains the location data needed for ignoring.
Example for Helm:
```yaml
serviceAccountName: "testchart.serviceAccountName"
containers:
# trivy:ignore:KSV018
- name: "testchart"
securityContext:
runAsUser: 1000
runAsGroup: 3000
image: "your-repository/your-image:your-tag"
imagePullPolicy: "Always"
#### Expiration Date
You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
```tf
#trivy:ignore:aws-s3-enable-logging:exp:2024-03-10
resource "aws_s3_bucket" "example" {
bucket = "test"
}
```
The `aws-s3-enable-logging` check will be ignored until `2024-03-10` until the ignore rule expires.
#### Ignoring by attributes
You can ignore a resource by its attribute value. This is useful when using the `for-each` meta-argument. For example:
```tf
locals {
ports = ["3306", "5432"]
}
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
resource "aws_security_group_rule" "example" {
for_each = toset(local.ports)
type = "ingress"
from_port = each.key
to_port = each.key
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.example.id
source_security_group_id = aws_security_group.example.id
}
```
The `aws-ec2-no-public-ingress-sgr` check will be ignored only for the `aws_security_group_rule` resource with port number `5432`. It is important to note that the ignore rule should not enclose the attribute value in quotes, despite the fact that the port is represented as a string.
If you want to ignore multiple resources on different attributes, you can specify multiple ignore rules:
```tf
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=3306]
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=5432]
```
You can also ignore a resource on multiple attributes in the same rule:
```tf
locals {
rules = {
first = {
port = 1000
type = "ingress"
},
second = {
port = 1000
type = "egress"
}
}
}
#trivy:ignore:aws-ec2-no-public-ingress-sgr[from_port=1000,type=egress]
resource "aws_security_group_rule" "example" {
for_each = { for k, v in local.rules : k => v }
type = each.value.type
from_port = each.value.port
to_port = each.value.port
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.example.id
source_security_group_id = aws_security_group.example.id
}
```
Checks can also be ignored by nested attributes:
```tf
#trivy:ignore:*[logging_config.prefix=myprefix]
resource "aws_cloudfront_distribution" "example" {
logging_config {
include_cookies = false
bucket = "mylogs.s3.amazonaws.com"
prefix = "myprefix"
}
}
```
#### Ignoring module issues
Issues in third-party modules cannot be ignored using the method described above, because you may not have access to modify the module source code. In such a situation you can add ignore rules above the module block, for example:
```tf
#trivy:ignore:aws-s3-enable-logging
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
bucket = "my-s3-bucket"
}
```
An example of ignoring checks for a specific bucket in a module:
```tf
locals {
bucket = ["test1", "test2"]
}
#trivy:ignore:*[bucket=test1]
module "s3_bucket" {
for_each = toset(local.bucket)
source = "terraform-aws-modules/s3-bucket/aws"
bucket = each.value
}
```
#### Support for Wildcards
You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
```tf
# trivy:ignore:aws-s3-*:ws:dev-*
```
This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.

24
docs/docs/scanner/misconfiguration/custom/index.md
View File

@@ -121,17 +121,18 @@ Trivy supports extra fields in the `custom` section as described below.
If you are creating checks for your Trivy misconfiguration scans, some fields are optional as referenced in the table below. The `schemas` field should be used to enable policy validation using a built-in schema. It is recommended to use this to ensure your checks are
correct and do not reference incorrect properties/values.
| Field name | Allowed values | Default value | In table | In JSON |
|----------------------------|-------------------------------------------------------------------|:----------------------------:|:--------:|:-------:|
| title | Any characters | N/A | ✅ | ✅ |
| description | Any characters | | - | ✅ |
| schemas.input | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | - | - |
| custom.id | Any characters | N/A | ✅ | ✅ |
| custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | ✅ | ✅ |
| custom.recommended_actions | Any characters | | - | ✅ |
| custom.deprecated | `true`, `false` | `false` | - | ✅ |
| custom.input.selector.type | Any item(s) in [this list][source-types] | | - | ✅ |
| url | Any characters | | - | ✅ |
| Field name | Allowed values | Default value | In table | In JSON |
|------------------------------|---------------------------------------------------------------------|:----------------------------:|:--------:|:-------:|
| title | Any characters | N/A | ✅ | ✅ |
| description | Any characters | | - | ✅ |
| schemas.input | `schema["kubernetes"]`, `schema["dockerfile"]`, `schema["cloud"]` | (applied to all input types) | - | - |
| custom.id | Any characters | N/A | ✅ | ✅ |
| custom.severity | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` | UNKNOWN | ✅ | ✅ |
| custom.recommended_actions | Any characters | | - | ✅ |
| custom.deprecated | `true`, `false` | `false` | - | ✅ |
| custom.input.selector.type | Any item(s) in [this list][source-types] | | - | ✅ |
| custom.minimum_trivy_version | The minimum version of Trivy that's required to evaluate this check | | - | ✅ |
| url | Any characters | | - | ✅ |
#### custom.avd_id and custom.id
@@ -207,6 +208,7 @@ You can specify input format via the `custom.input` annotation.
- `yaml` (Generic YAML)
- `json` (Generic JSON)
- `toml` (Generic TOML)
- `terraform-raw` (Terraform configuration is not converted to common state as for the Cloud format, allowing for more flexible and direct checks on the original code)
When configuration languages such as Kubernetes are not identified, file formats such as JSON will be used as `type`.
When a configuration language is identified, it will overwrite `type`.

126
docs/docs/scanner/misconfiguration/custom/schema.md
View File

@@ -1,11 +1,38 @@
# Input Schema
## Overview
Checks can be defined with custom schemas that allow inputs to be verified against them. Adding a policy schema
Schemas are declarative documents that define the structure, data types and constraints of inputs being scanned. Trivy provides certain schemas out of the box as seen in the explorer [here](https://aquasecurity.github.io/trivy-schemas/). You can also find the source code for the schemas [here](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas).
It is not required to pass in schemas, in order to scan inputs by Trivy but are required if type-checking is needed.
Checks can be defined with custom schemas that allow inputs to be verified against them. Adding an input schema
enables Trivy to show more detailed error messages when an invalid input is encountered.
In Trivy we have been able to define a schema for a [Dockerfile](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas)
Without input schemas, a policy would be as follows:
## Unified Schema
One of the unique advantages of Trivy is to take a variety of inputs, such as IaC files (e.g. CloudFormation, Terraform etc.) and also live cloud scanning
(e.g. [Trivy AWS plugin](https://github.com/aquasecurity/trivy-aws)) and normalize them into a standard structure, as defined by the schema.
An example of such an application would be scanning AWS resources. You can scan them prior to deployment via the Trivy misconfiguration scanner and also
scan them after they've been deployed in the cloud with Trivy AWS scanning. Both scan methods should yield the same result as resources are gathered into
a unified representation as defined by the [Cloud schema](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json).
## Supported Schemas
Currently out of the box the following schemas are supported natively:
1. [Docker](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json)
2. [Kubernetes](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json)
3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)
4. [Terraform Raw Format](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/terraform-raw.json)
You can interactively view these schemas with the [Trivy Schema Explorer](https://aquasecurity.github.io/trivy-schemas/)
## Example
As mentioned earlier, amongst other built-in schemas, Trivy offers a built in-schema for scanning Dockerfiles. It is available [here](https://github.com/aquasecurity/trivy/tree/main/pkg/iac/rego/schemas)
Without input schemas, a check would be as follows:
!!! example
```
@@ -17,10 +44,10 @@ Without input schemas, a policy would be as follows:
}
```
If this policy is run against offending Dockerfile(s), there will not be any issues as the policy will fail to evaluate.
Although the policy's failure to evaluate is legitimate, this should not result in a positive result for the scan.
If this check is run against an offending Dockerfile(s), there will not be any issues as the check will fail to evaluate.
Although the check's failure to evaluate is legitimate, this should not result in a positive result for the scan.
For instance if we have a policy that checks for misconfigurations in a `Dockerfile`, we could define the
For instance if we have a check that checks for misconfigurations in a `Dockerfile`, we could define the
schema as such
!!! example
@@ -38,26 +65,20 @@ schema as such
Here `input: schema["dockerfile"]` points to a schema that expects a valid `Dockerfile` as input. An example of this
can be found [here](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json).
Now if this policy is evaluated against, a more descriptive error will be available to help fix the problem.
Now if this check is evaluated against, a more descriptive error will be available to help fix the problem.
```bash
1 error occurred: testpolicy.rego:8: rego_type_error: undefined ref: input.evil
1 error occurred: testcheck.rego:8: rego_type_error: undefined ref: input.evil
input.evil
^
have: "evil"
want (one of): ["Stages"]
```
Currently, out of the box the following schemas are supported natively:
1. [Docker](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/dockerfile.json)
2. [Kubernetes](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/kubernetes.json)
3. [Cloud](https://github.com/aquasecurity/trivy/blob/main/pkg/iac/rego/schemas/cloud.json)
## Custom Checks with Custom Schemas
You can also bring a custom policy that defines one or more custom schema.
You can also bring a custom check that defines one or more custom schema.
!!! example
```
@@ -77,16 +98,83 @@ The checks can be placed in a structure as follows
!!! example
```
/Users/user/my-custom-checks
├── my_policy.rego
├── my_check.rego
└── schemas
└── fooschema.json
└── barschema.json
```
To use such a policy with Trivy, use the `--config-policy` flag that points to the policy file or to the directory where the schemas and checks are contained.
To use such a check with Trivy, use the `--config-check` flag that points to the check file or to the directory where the schemas and checks are contained.
```bash
$ trivy --config-policy=/Users/user/my-custom-checks <path/to/iac>
$ trivy --config-check=/Users/user/my-custom-checks <path/to/iac>
```
For more details on how to define schemas within Rego checks, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
For more details on how to define schemas within Rego checks, please see the [OPA guide](https://www.openpolicyagent.org/docs/latest/policy-language/#schema-annotations) that describes it in more detail.
### Scan arbitrary JSON and YAML configurations
By default, scanning JSON and YAML configurations is disabled, since Trivy does not contain built-in checks for these configurations. To enable it, pass the `json` or `yaml` to `--misconfig-scanners`. Trivy will pass each file as is to the checks input.
!!! example
```bash
$ cat iac/serverless.yaml
service: serverless-rest-api-with-pynamodb
frameworkVersion: ">=2.24.0"
plugins:
- serverless-python-requirements
...
$ cat serverless.rego
# METADATA
# title: Serverless Framework service name not starting with "aws-"
# description: Ensure that Serverless Framework service names start with "aws-"
# schemas:
# - input: schema["serverless-schema"]
# custom:
# id: SF001
# severity: LOW
package user.serverless001
deny[res] {
not startswith(input.service, "aws-")
res := result.new(
sprintf("Service name %q is not allowed", [input.service]),
input.service
)
}
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
serverless.yaml (yaml)
Tests: 4 (SUCCESSES: 3, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
═════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure that Serverless Framework service names start with "aws-"
```
!!! note
In the case above, the custom check specified has a metadata annotation for the input schema `input: schema["serverless-schema"]`. This allows Trivy to type check the input IaC files provided.
Optionally, you can also pass schemas using the `config-file-schemas` flag. Trivy will use these schemas for file filtering and type checking in Rego checks.
!!! example
```bash
$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user --config-file-schemas ./serverless-schema.json ./iac
```
If the `--config-file-schemas` flag is specified Trivy ensures that each input IaC config file being scanned is type-checked against the schema. If the input file does not match any of the passed schemas, it will be ignored.
If the schema is specified in the check metadata and is in the directory specified in the `--config-check` argument, it will be automatically loaded as specified [here](./custom/schema.md#custom-checks-with-custom-schemas), and will only be used for type checking in Rego.
!!! note
If a user specifies the `--config-file-schemas` flag, all input IaC config files are ensured that they pass type-checking. It is not required to pass an input schema in case type checking is not required. This is helpful for scenarios where you simply want to write a Rego check and pass in IaC input for it. Such a use case could include scanning for a new service which Trivy might not support just yet.
!!! tip
It is also possible to specify multiple input schemas with `--config-file-schema` flag as it can accept a comma seperated list of file paths or a directory as input. In the case of multiple schemas being specified, all of them will be evaluated against all the input files.

5
docs/docs/scanner/vulnerability.md
View File

@@ -25,7 +25,9 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes.
| Alpine Linux | [secdb][alpine] |
| Wolfi Linux | [secdb][wolfi] |
| Chainguard | [secdb][chainguard] |
| MinimOS | [secdb][minimos] |
| Amazon Linux | [Amazon Linux Security Center][amazon] |
| Echo | [Echo][echo] |
| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] |
| Ubuntu | [Ubuntu CVE Tracker][ubuntu] |
| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] |
@@ -120,7 +122,6 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
| PHP | [PHP Security Advisories Database][php] | ✅ | - |
| | [GitHub Advisory Database (Composer)][php-ghsa] | ✅ | - |
| Python | [GitHub Advisory Database (pip)][python-ghsa] | ✅ | - |
| | [Open Source Vulnerabilities (PyPI)][python-osv] | ✅ | - |
| Ruby | [Ruby Advisory Database][ruby] | ✅ | - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅ | - |
| Node.js | [Ecosystem Security Working Group][nodejs] | ✅ | - |
@@ -379,7 +380,9 @@ Example logic for the following vendor severity levels when scanning an Alpine i
[alpine]: https://secdb.alpinelinux.org/
[wolfi]: https://packages.wolfi.dev/os/security.json
[chainguard]: https://packages.cgr.dev/chainguard/security.json
[minimos]: https://packages.mini.dev/advisories/secdb/security.json
[amazon]: https://alas.aws.amazon.com/
[echo]: https://advisory.echohq.com/data.json
[debian-tracker]: https://security-tracker.debian.org/tracker/
[debian-oval]: https://www.debian.org/security/oval/
[ubuntu]: https://ubuntu.com/security/cve

3
docs/docs/target/rootfs.md
View File

@@ -14,6 +14,9 @@ $ trivy rootfs /path/to/rootfs
You should use `trivy fs` to scan your local projects in CI/CD.
See [here](../scanner/vulnerability.md) for the differences.
!!! note
Scanning vulnerabilities for `Red Hat` has a limitation, see the [Red Hat](../coverage/os/rhel.md#content-manifests) page for details.
## Performance Optimization
By default, Trivy traverses all files from the specified root directory to find target files for scanning.

3
docs/docs/target/vm.md
View File

@@ -150,6 +150,9 @@ See [here](../scanner/vulnerability.md) for the detail.
$ trivy vm [YOUR_VM_IMAGE]
```
!!! note
Scanning `Red Hat` has a limitation, see the [Red Hat](../coverage/os/rhel.md#content-manifests) page for details.
### Misconfigurations
It is supported, but it is not useful in most cases.
As mentioned [here](../scanner/misconfiguration/index.md), Trivy mainly supports Infrastructure as Code (IaC) files for misconfigurations.

2
docs/tutorials/misconfiguration/custom-checks.md
View File

@@ -48,7 +48,7 @@ package custom.dockerfile.ID001
import future.keywords.in
```
Every rego check has a package name. In our case, we will call it `custom.dockerfile.ID001` to avoid confusion between custom checks and built-in checks. The group name `dockerfile` has no effect on the package name. Note that each package has to contain only one check. However, we can pass multiple checks into our Trivy scan.
Every Rego check has a package name. In our case, we will call it `custom.dockerfile.ID001` to avoid confusion between custom checks and built-in checks. The group name `dockerfile` has no effect on the package name. Note that each package has to contain only one check. However, we can pass multiple checks into our Trivy scan.
The first keyword of the package, in this case `custom`, will be reused in the `trivy` command as the `--namespace`.
## Allowed data

2
docs/tutorials/misconfiguration/terraform.md
View File

@@ -90,7 +90,7 @@ trivy config --tf-vars terraform.tfvars ./
```
### Custom Checks
We have lots of examples in the [documentation](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans.
We have lots of examples in the [documentation](https://trivy.dev/latest/docs/scanner/misconfiguration/custom/) on how you can write and pass custom Rego checks into terraform misconfiguration scans.
## Secret and vulnerability scans

152
go.mod
View File

@@ -5,7 +5,7 @@ go 1.24.2
require (
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0
github.com/BurntSushi/toml v1.5.0
github.com/CycloneDX/cyclonedx-go v0.9.2
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
@@ -23,14 +23,14 @@ require (
github.com/aquasecurity/table v1.10.0
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.10.0
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d
github.com/aquasecurity/trivy-checks v1.11.2-0.20250529074512-7afea1b738c4
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.8.2
github.com/aquasecurity/trivy-kubernetes v0.9.0
github.com/aws/aws-sdk-go-v2 v1.36.3
github.com/aws/aws-sdk-go-v2/config v1.29.14
github.com/aws/aws-sdk-go-v2/credentials v1.17.67
github.com/aws/aws-sdk-go-v2/service/ec2 v1.213.0
github.com/aws/aws-sdk-go-v2/service/ec2 v1.218.0
github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0
github.com/aws/aws-sdk-go-v2/service/s3 v1.79.3
github.com/aws/smithy-go v1.22.3
@@ -38,7 +38,7 @@ require (
github.com/bmatcuk/doublestar/v4 v4.8.1
github.com/cenkalti/backoff/v4 v4.3.0
github.com/cheggaaa/pb/v3 v3.1.7
github.com/containerd/containerd/v2 v2.0.5
github.com/containerd/containerd/v2 v2.1.1
github.com/containerd/platforms v1.0.0-rc.1
github.com/distribution/reference v0.6.0
github.com/docker/cli v28.1.1+incompatible
@@ -48,12 +48,10 @@ require (
github.com/fatih/color v1.18.0
github.com/go-git/go-git/v5 v5.16.0
github.com/go-json-experiment/json v0.0.0-20250223041408-d3c622f1b874 // Replace with encoding/json/v2 when proposal is accepted. Track https://github.com/golang/go/issues/71497
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-redis/redis/v8 v8.11.5
github.com/gocsaf/csaf/v3 v3.2.0
github.com/golang-jwt/jwt/v5 v5.2.2
github.com/google/go-containerregistry v0.20.3
github.com/google/go-containerregistry v0.20.5
github.com/google/go-github/v62 v62.0.0
github.com/google/licenseclassifier/v2 v2.0.0
github.com/google/uuid v1.6.0
@@ -93,7 +91,6 @@ require (
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif/v2 v2.3.3
github.com/owenrumney/squealer v1.2.11 // indirect
github.com/package-url/packageurl-go v0.1.3
github.com/quasilyte/go-ruleguard/dsl v0.3.22
github.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c
@@ -115,29 +112,27 @@ require (
github.com/twitchtv/twirp v8.1.3+incompatible
github.com/xeipuuv/gojsonschema v1.2.0
github.com/xlab/treeprint v1.2.0
github.com/zclconf/go-cty v1.16.2
github.com/zclconf/go-cty v1.16.3
github.com/zclconf/go-cty-yaml v1.1.0
go.etcd.io/bbolt v1.4.0
golang.org/x/crypto v0.37.0
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
golang.org/x/crypto v0.38.0
golang.org/x/mod v0.24.0
golang.org/x/net v0.39.0
golang.org/x/sync v0.13.0
golang.org/x/term v0.31.0
golang.org/x/text v0.24.0
golang.org/x/net v0.40.0
golang.org/x/sync v0.14.0
golang.org/x/term v0.32.0
golang.org/x/text v0.25.0
golang.org/x/vuln v1.1.4
golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
google.golang.org/protobuf v1.36.6
gopkg.in/yaml.v3 v3.0.1
helm.sh/helm/v3 v3.17.3
k8s.io/api v0.33.0
k8s.io/api v0.33.1
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
modernc.org/sqlite v1.37.0
sigs.k8s.io/yaml v1.4.0 // indirect
)
require (
cel.dev/expr v0.19.1 // indirect
cel.dev/expr v0.20.0 // indirect
cloud.google.com/go v0.118.3 // indirect
cloud.google.com/go/auth v0.15.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
@@ -147,7 +142,6 @@ require (
cloud.google.com/go/storage v1.50.0 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -158,7 +152,7 @@ require (
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
github.com/DataDog/zstd v1.5.5 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
github.com/Intevation/gval v1.3.0 // indirect
@@ -168,15 +162,28 @@ require (
github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/Masterminds/squirrel v1.5.4 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/Microsoft/hcsshim v0.12.9 // indirect
github.com/Microsoft/hcsshim v0.13.0 // indirect
github.com/ProtonMail/go-crypto v1.1.6 // indirect
github.com/VividCortex/ewma v1.2.0 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/agnivade/levenshtein v1.2.1 // indirect
github.com/alessio/shellescape v1.4.1 // indirect
github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aquasecurity/jfather v0.0.8 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go v1.55.7 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
@@ -185,10 +192,10 @@ require (
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.6.1 // indirect
github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 // indirect
github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect
github.com/containerd/cgroups/v3 v3.0.5 // indirect
github.com/containerd/containerd v1.7.27 // indirect
github.com/containerd/containerd/api v1.8.0 // indirect
github.com/containerd/containerd/api v1.9.0 // indirect
github.com/containerd/continuity v0.4.5 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
@@ -199,7 +206,7 @@ require (
github.com/containerd/ttrpc v1.2.7 // indirect
github.com/containerd/typeurl/v2 v2.2.3 // indirect
github.com/cpuguy83/dockercfg v0.3.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
github.com/cyphar/filepath-securejoin v0.4.1 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
@@ -213,13 +220,16 @@ require (
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/ebitengine/purego v0.8.2 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
github.com/evanphx/json-patch v5.9.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.8.0 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-errors/errors v1.4.2 // indirect
@@ -236,9 +246,12 @@ require (
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.1 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-yaml v1.15.23 // indirect
github.com/gofrs/uuid v4.3.1+incompatible // indirect
@@ -250,9 +263,12 @@ require (
github.com/google/certificate-transparency-go v1.1.8 // indirect
github.com/google/gnostic-models v0.6.9 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-github/v31 v31.0.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/subcommands v1.2.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
github.com/googleapis/gax-go/v2 v2.14.1 // indirect
github.com/gorilla/mux v1.8.1 // indirect
@@ -274,6 +290,7 @@ require (
github.com/json-iterator/go v1.1.12 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.18.0 // indirect
github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
@@ -291,9 +308,11 @@ require (
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/go-archive v0.1.0 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/moby/patternmatcher v0.6.0 // indirect
github.com/moby/spdystream v0.5.0 // indirect
github.com/moby/sys/atomicwriter v0.1.0 // indirect
github.com/moby/sys/mountinfo v0.7.2 // indirect
github.com/moby/sys/sequential v0.6.0 // indirect
github.com/moby/sys/signal v0.7.1 // indirect
@@ -309,10 +328,13 @@ require (
github.com/ncruces/go-strftime v0.1.9 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/runtime-spec v1.2.0 // indirect
github.com/opencontainers/selinux v1.11.1 // indirect
github.com/oklog/ulid/v2 v2.1.0 // indirect
github.com/opencontainers/runtime-spec v1.2.1 // indirect
github.com/opencontainers/selinux v1.12.0 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/owenrumney/squealer v1.2.11 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pjbgf/sha1cd v0.3.2 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
@@ -330,17 +352,21 @@ require (
github.com/rubenv/sql-migrate v1.7.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/sagikazarmark/locafero v0.7.0 // indirect
github.com/samber/oops v1.16.1 // indirect
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shirou/gopsutil/v4 v4.25.1 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/sigstore/cosign/v2 v2.2.4 // indirect
github.com/sigstore/protobuf-specs v0.4.1 // indirect
github.com/sigstore/sigstore v1.9.1 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/skeema/knownhosts v1.3.1 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.12.0 // indirect
github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
@@ -349,10 +375,11 @@ require (
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tklauser/go-sysconf v0.3.13 // indirect
github.com/tklauser/numcpus v0.7.0 // indirect
github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d // indirect
github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/ulikunitz/xz v0.5.12 // indirect
github.com/vbatts/tar-split v0.11.6 // indirect
github.com/vbatts/tar-split v0.12.1 // indirect
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
github.com/x448/float16 v0.8.4 // indirect
@@ -363,11 +390,12 @@ require (
github.com/yashtewari/glob-intersection v0.2.0 // indirect
github.com/yuin/gopher-lua v1.1.1 // indirect
github.com/yusufpapurcu/wmi v1.2.4 // indirect
github.com/zeebo/errs v1.4.0 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.34.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
go.opentelemetry.io/otel v1.35.0 // indirect
go.opentelemetry.io/otel/metric v1.35.0 // indirect
@@ -376,73 +404,43 @@ require (
go.opentelemetry.io/otel/trace v1.35.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/oauth2 v0.28.0 // indirect
golang.org/x/sys v0.32.0 // indirect
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sys v0.33.0 // indirect
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
golang.org/x/time v0.11.0 // indirect
golang.org/x/tools v0.32.0 // indirect
golang.org/x/tools v0.33.0 // indirect
google.golang.org/api v0.228.0 // indirect
google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
google.golang.org/grpc v1.71.1 // indirect
google.golang.org/grpc v1.72.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/apiextensions-apiserver v0.32.2 // indirect
k8s.io/apimachinery v0.33.0 // indirect
k8s.io/apiserver v0.32.2 // indirect
k8s.io/cli-runtime v0.33.0 // indirect
k8s.io/client-go v0.33.0 // indirect
k8s.io/component-base v0.33.0 // indirect
k8s.io/apimachinery v0.33.1 // indirect
k8s.io/apiserver v0.32.3 // indirect
k8s.io/cli-runtime v0.33.1 // indirect
k8s.io/client-go v0.33.1 // indirect
k8s.io/component-base v0.33.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
k8s.io/kubectl v0.33.0 // indirect
k8s.io/kubectl v0.33.1 // indirect
modernc.org/libc v1.62.1 // indirect
modernc.org/mathutil v1.7.1 // indirect
modernc.org/memory v1.9.1 // indirect
mvdan.cc/sh/v3 v3.11.0 // indirect
oras.land/oras-go v1.2.5 // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/kind v0.19.0 // indirect
sigs.k8s.io/kustomize/api v0.19.0 // indirect
sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
)
require (
github.com/alessio/shellescape v1.4.1 // indirect
github.com/aquasecurity/jfather v0.0.8 // indirect
github.com/aws/aws-sdk-go v1.55.7 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
github.com/ebitengine/purego v0.8.2 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
github.com/google/go-github/v31 v31.0.0 // indirect
github.com/google/safetext v0.0.0-20220905092116-b49f7bc46da2 // indirect
github.com/google/subcommands v1.2.0 // indirect
github.com/knqyf263/labeler v0.0.0-20200423181506-7a6e545148c3 // indirect
github.com/moby/go-archive v0.1.0 // indirect
github.com/moby/sys/atomicwriter v0.1.0 // indirect
github.com/oklog/ulid/v2 v2.1.0 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/samber/oops v1.15.0 // indirect
github.com/shirou/gopsutil/v4 v4.25.1 // indirect
github.com/sigstore/protobuf-specs v0.4.1 // indirect
github.com/tonglil/versioning v0.0.0-20170205083536-8b2a4334bd1d // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
sigs.k8s.io/kind v0.19.0 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
tool (

161
go.sum
View File

@@ -1,5 +1,5 @@
cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4=
cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
cel.dev/expr v0.20.0 h1:OunBvVCfvpWlt4dN7zg3FM6TDkzOePe1+foGJ9AXeeI=
cel.dev/expr v0.20.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
@@ -629,8 +629,6 @@ gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zum
git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2 h1:dIScnXFlF784X79oi7MzVT6GWqr/W1uUt0pB5CsDs9M=
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20231105174938-2b5cbb29f3e2/go.mod h1:gCLVsLfv1egrcZu+GoJATN5ts75F2s62ih/457eWzOw=
github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d h1:zjqpY4C7H15HjRPEenkS4SAn3Jy2eRRjkjZbGR30TOg=
github.com/AdamKorcz/go-fuzz-headers-1 v0.0.0-20230919221257-8b5d3ce2d11d/go.mod h1:XNqJ7hv2kY++g8XEHREpi+JqZo3+0l+CH2egBVN4yqM=
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw=
@@ -639,8 +637,8 @@ github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 h1:OVoM452qUFBrX+URdH3VpR299ma4kfom0yB0URYky9g=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0/go.mod h1:kUjrAo8bgEwLeZ/CmHqNl3Z/kPm7y6FKfxxK0izYUg4=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0 h1:j8BorDEigD8UFOSZQiSqAMOOleyQOOQPnUAwV+Ls1gA=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY=
github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4=
@@ -688,8 +686,8 @@ github.com/DataDog/zstd v1.5.5 h1:oWf5W7GtOLgp6bciQYDmhHHjdhYkALu6S/5Ni9ZgSvQ=
github.com/DataDog/zstd v1.5.5/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 h1:3c8yed4lgqTt+oTQ+JNMDo+F4xprBf+O/il4ZC0nRLw=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0/go.mod h1:obipzmGjfSjam60XLwGfqUkJsfiheAl+TUjG+4yzyPM=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0 h1:f2Qw/Ehhimh5uO1fayV0QIW7DShEQqhtUfhYc+cBPlw=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.26.0/go.mod h1:2bIszWvQRlJVmJLiuLhukLImRjKPcYdzzsx6darK02A=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 h1:o90wcURuxekmXrtxmYWTyNla0+ZEHhud6DI1ZTxd1vI=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0/go.mod h1:6fTWu4m3jocfUZLYF5KsZC1TUfRvEjs7lM4crme/irw=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.49.0 h1:jJKWl98inONJAr/IZrdFQUWcwUO95DLY1XMD1ZIut+g=
@@ -714,8 +712,8 @@ github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA4
github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
github.com/Microsoft/hcsshim v0.12.9 h1:2zJy5KA+l0loz1HzEGqyNnjd3fyZA31ZBCGKacp6lLg=
github.com/Microsoft/hcsshim v0.12.9/go.mod h1:fJ0gkFAna6ukt0bLdKB8djt4XIJhF/vEPuoIWYVvZ8Y=
github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA=
github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok=
github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=
github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
@@ -802,14 +800,14 @@ github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 h1:b43UVqY
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8/go.mod h1:wXA9k3uuaxY3yu7gxrxZDPo/04FEMJtwyecdAlYrEIo=
github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.10.0 h1:Q0FWsYy/uwvr/icRSOzNu55yDZ1ME8hZlpglNs62ZfE=
github.com/aquasecurity/trivy-checks v1.10.0/go.mod h1:/b633SOFNp8RjkxSq+FOg4SgxjklUp+BIQEyTWCnN1k=
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d h1:T16WrTi21YsMLQVhtp1r1hOIYK3x4BjnftpL9cp64Eo=
github.com/aquasecurity/trivy-db v0.0.0-20250227071930-8bd8a9b89e2d/go.mod h1:4bTsQPtMBN8v+UfUlE1aQBN1imftefnDafHBF85+aT8=
github.com/aquasecurity/trivy-checks v1.11.2-0.20250529074512-7afea1b738c4 h1:Njp9YEU+4vqmtcb21lWfivrbiLsdYreohmWQX3+KHiU=
github.com/aquasecurity/trivy-checks v1.11.2-0.20250529074512-7afea1b738c4/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e h1:+B/in1DQDGwQbKhW5pWL8XxBgnZKxXhUznylJ2NCyvs=
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e/go.mod h1:4zd4qZcjhNAHASz5I0O7qapv5h5gSJzSEaZXv/IPOGc=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.8.2 h1:8QP8fbUeC5y0kETDpk04XK52hYF6PsJOkd6HrbVnJqo=
github.com/aquasecurity/trivy-kubernetes v0.8.2/go.mod h1:O2SMbA3pnShkOCxBFT04ANYyDEvACbmd5t/XMH4uAFM=
github.com/aquasecurity/trivy-kubernetes v0.9.0 h1:rp8RuXwKfFWUPR/ULksA2WpD0z6rslVkzLmPGQr61Wc=
github.com/aquasecurity/trivy-kubernetes v0.9.0/go.mod h1:/JrWYEBmG5R30MraUQxtjM2vo6fc9Dt7ANMxJKrDzTw=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
@@ -835,8 +833,8 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1 h1:SeDJWG4pmye+/aO6k+zt9clPTUy1MXqUmkW8rbAddQg=
github.com/aws/aws-sdk-go-v2/service/ebs v1.22.1/go.mod h1:wRzaW0v9GGQS0h//wpsVDw3Hah5gs5UP+NxoyGeZIGM=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.213.0 h1:9nUhN6dRT2chbA7E9y3JDGpIV1C7cZpfiRvX63EB5XA=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.213.0/go.mod h1:ouvGEfHbLaIlWwpDpOVWPWR+YwO0HDv3vm5tYLq8ImY=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.218.0 h1:QPYsTfcPpPhkF+37pxLcl3xbQz2SRxsShQNB6VCkvLo=
github.com/aws/aws-sdk-go-v2/service/ec2 v1.218.0/go.mod h1:ouvGEfHbLaIlWwpDpOVWPWR+YwO0HDv3vm5tYLq8ImY=
github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0 h1:E+UTVTDH6XTSjqxHWRuY8nB6s+05UllneWxnycplHFk=
github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0=
@@ -933,8 +931,8 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/cncf/xds/go v0.0.0-20230105202645-06c439db220b/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3 h1:boJj011Hh+874zpIySeApCX4GeOjPl9qhRF3QuIZq+Q=
github.com/cncf/xds/go v0.0.0-20241223141626-cff3c89139a3/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk=
github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
@@ -945,10 +943,10 @@ github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJ
github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins=
github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
github.com/containerd/containerd/v2 v2.0.5 h1:2vg/TjUXnaohAxiHnthQg8K06L9I4gdYEMcOLiMc8BQ=
github.com/containerd/containerd/v2 v2.0.5/go.mod h1:Qqo0UN43i2fX1FLkrSTCg6zcHNfjN7gEnx3NPRZI+N0=
github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0=
github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI=
github.com/containerd/containerd/v2 v2.1.1 h1:znnkm7Ajz8lg8BcIPMhc/9yjBRN3B+OkNKqKisKfwwM=
github.com/containerd/containerd/v2 v2.1.1/go.mod h1:zIfkQj4RIodclYQkX7GSSswSwgP8d/XxDOtOAoSDIGU=
github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
@@ -976,8 +974,9 @@ github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GK
github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/cpuguy83/go-md2man/v2 v2.0.7 h1:zbFlGlXEAKlwXpmvle3d8Oe3YnkKIK4xSRTd3sHPnBo=
github.com/cpuguy83/go-md2man/v2 v2.0.7/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
@@ -1093,8 +1092,8 @@ github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7z
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -1283,8 +1282,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/go-containerregistry v0.20.3 h1:oNx7IdTI936V8CQRveCjaxOiegWwvM7kqkbXTpyiovI=
github.com/google/go-containerregistry v0.20.3/go.mod h1:w00pIgBRDVUDFM6bq+Qx8lwNWK+cxgCuX1vd3PIBDNI=
github.com/google/go-containerregistry v0.20.5 h1:4RnlYcDs5hoA++CeFjlbZ/U9Yp1EuWr+UhhTyYQjOP0=
github.com/google/go-containerregistry v0.20.5/go.mod h1:Q14vdOOzug02bwnhMkZKD4e30pDaD9W65qzXpyzF49E=
github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6CCb0plo=
github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
@@ -1669,10 +1668,10 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.11.1 h1:nHFvthhM0qY8/m+vfhJylliSshm8G1jJ2jDMcgULaH8=
github.com/opencontainers/selinux v1.11.1/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553 h1:c4u0GIH0w2Q57Pm2Oldrq6EiHFnLCCnRs98A+ggj/YQ=
@@ -1692,8 +1691,8 @@ github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
@@ -1749,8 +1748,8 @@ github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe
github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
@@ -1778,8 +1777,8 @@ github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsF
github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY=
github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc=
github.com/samber/oops v1.15.0 h1:/mF33KAqA2TugU6y/tomFpK6G6mJB7g0aqRyHkaSIeg=
github.com/samber/oops v1.15.0/go.mod h1:9LpLZkpjojEt/of7EpG5o65i/Lp23ddDvGhg2L871Ow=
github.com/samber/oops v1.16.1 h1:XlKkXsWM5g8hE4C+sEV9n0X282fZn3XabVmAKU2RiHI=
github.com/samber/oops v1.16.1/go.mod h1:8eXgMAJcDXRAijQsFRhfy/EHDOTiSvwkg6khFqFK078=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
github.com/sassoftware/go-rpmutils v0.4.0 h1:ojND82NYBxgwrV+mX1CWsd5QJvvEZTKddtCdFLPWhpg=
@@ -1856,8 +1855,8 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY=
github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU=
github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -1927,8 +1926,8 @@ github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0o
github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
github.com/vbatts/tar-split v0.11.6 h1:4SjTW5+PU11n6fZenf2IPoV8/tz3AaYHMWjf23envGs=
github.com/vbatts/tar-split v0.11.6/go.mod h1:dqKNtesIOr2j2Qv3W/cHjnvk9I8+G7oAkFDFN6TCBEI=
github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
@@ -1974,15 +1973,15 @@ github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go
github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms=
github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk=
github.com/zclconf/go-cty v1.10.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
github.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk=
github.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
github.com/zclconf/go-cty-yaml v1.1.0 h1:nP+jp0qPHv2IhUVqmQSzjvqAWcObN0KBkUl2rWBdig0=
github.com/zclconf/go-cty-yaml v1.1.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=
github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
@@ -2002,8 +2001,8 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
go.opentelemetry.io/contrib/detectors/gcp v1.34.0 h1:JRxssobiPg23otYU5SbWtQC//snGVIM3Tx6QRzlQBao=
go.opentelemetry.io/contrib/detectors/gcp v1.34.0/go.mod h1:cV4BMFcscUR/ckqLkbfQmF0PRsq8w/lMGzdbCSveBHo=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0 h1:rgMkmiGfix9vFJDcDi1PK8WEQP4FLQwLDfhp5ZLpFeE=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0/go.mod h1:ijPqXp5P6IRRByFVVg9DY8P5HkxkHE5ARIa+86aXPf4=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
@@ -2056,8 +2055,8 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -2192,8 +2191,8 @@ golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -2223,8 +2222,8 @@ golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec
golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -2245,8 +2244,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2348,8 +2347,8 @@ golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
@@ -2367,8 +2366,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2389,8 +2388,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2466,8 +2465,8 @@ golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -2733,8 +2732,8 @@ google.golang.org/grpc v1.52.3/go.mod h1:pu6fVzoFb+NBYNAvQL08ic+lvB2IojljRYuun5v
google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g=
google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI=
google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
google.golang.org/grpc v1.72.0 h1:S7UkcVa60b5AAQTaO6ZKamFp1zMZSU0fGDK2WZLbBnM=
google.golang.org/grpc v1.72.0/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -2805,26 +2804,26 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
k8s.io/api v0.33.0 h1:yTgZVn1XEe6opVpP1FylmNrIFWuDqe2H0V8CT5gxfIU=
k8s.io/api v0.33.0/go.mod h1:CTO61ECK/KU7haa3qq8sarQ0biLq2ju405IZAd9zsiM=
k8s.io/api v0.33.1 h1:tA6Cf3bHnLIrUK4IqEgb2v++/GYUtqiu9sRVk3iBXyw=
k8s.io/api v0.33.1/go.mod h1:87esjTn9DRSRTD4fWMXamiXxJhpOIREjWOSjsW1kEHw=
k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
k8s.io/apimachinery v0.33.0 h1:1a6kHrJxb2hs4t8EE5wuR/WxKDwGN1FKH3JvDtA0CIQ=
k8s.io/apimachinery v0.33.0/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw=
k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM=
k8s.io/cli-runtime v0.33.0 h1:Lbl/pq/1o8BaIuyn+aVLdEPHVN665tBAXUePs8wjX7c=
k8s.io/cli-runtime v0.33.0/go.mod h1:QcA+r43HeUM9jXFJx7A+yiTPfCooau/iCcP1wQh4NFw=
k8s.io/client-go v0.33.0 h1:UASR0sAYVUzs2kYuKn/ZakZlcs2bEHaizrrHUZg0G98=
k8s.io/client-go v0.33.0/go.mod h1:kGkd+l/gNGg8GYWAPr0xF1rRKvVWvzh9vmZAMXtaKOg=
k8s.io/component-base v0.33.0 h1:Ot4PyJI+0JAD9covDhwLp9UNkUja209OzsJ4FzScBNk=
k8s.io/component-base v0.33.0/go.mod h1:aXYZLbw3kihdkOPMDhWbjGCO6sg+luw554KP51t8qCU=
k8s.io/apimachinery v0.33.1 h1:mzqXWV8tW9Rw4VeW9rEkqvnxj59k1ezDUl20tFK/oM4=
k8s.io/apimachinery v0.33.1/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
k8s.io/apiserver v0.32.3 h1:kOw2KBuHOA+wetX1MkmrxgBr648ksz653j26ESuWNY8=
k8s.io/apiserver v0.32.3/go.mod h1:q1x9B8E/WzShF49wh3ADOh6muSfpmFL0I2t+TG0Zdgc=
k8s.io/cli-runtime v0.33.1 h1:TvpjEtF71ViFmPeYMj1baZMJR4iWUEplklsUQ7D3quA=
k8s.io/cli-runtime v0.33.1/go.mod h1:9dz5Q4Uh8io4OWCLiEf/217DXwqNgiTS/IOuza99VZE=
k8s.io/client-go v0.33.1 h1:ZZV/Ks2g92cyxWkRRnfUDsnhNn28eFpt26aGc8KbXF4=
k8s.io/client-go v0.33.1/go.mod h1:JAsUrl1ArO7uRVFWfcj6kOomSlCv+JpvIsp6usAGefA=
k8s.io/component-base v0.33.1 h1:EoJ0xA+wr77T+G8p6T3l4efT2oNwbqBVKR71E0tBIaI=
k8s.io/component-base v0.33.1/go.mod h1:guT/w/6piyPfTgq7gfvgetyXMIh10zuXA6cRRm3rDuY=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
k8s.io/kubectl v0.33.0 h1:HiRb1yqibBSCqic4pRZP+viiOBAnIdwYDpzUFejs07g=
k8s.io/kubectl v0.33.0/go.mod h1:gAlGBuS1Jq1fYZ9AjGWbI/5Vk3M/VW2DK4g10Fpyn/0=
k8s.io/kubectl v0.33.1 h1:OJUXa6FV5bap6iRy345ezEjU9dTLxqv1zFTVqmeHb6A=
k8s.io/kubectl v0.33.1/go.mod h1:Z07pGqXoP4NgITlPRrnmiM3qnoo1QrK1zjw85Aiz8J0=
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=

4
helm/trivy/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v2
name: trivy
version: 0.13.1
appVersion: 0.61.1
version: 0.14.1
appVersion: 0.62.1
description: Trivy helm chart
keywords:
- scanner

8
integration/integration_test.go
View File

@@ -60,9 +60,10 @@ func initDB(t *testing.T) string {
defer dbtest.Close()
err = metadata.NewClient(db.Dir(cacheDir)).Update(metadata.Metadata{
Version: db.SchemaVersion,
NextUpdate: time.Now().Add(24 * time.Hour),
UpdatedAt: time.Now(),
Version: db.SchemaVersion,
NextUpdate: time.Now().Add(24 * time.Hour),
UpdatedAt: time.Now(),
DownloadedAt: time.Now(),
})
require.NoError(t, err)
@@ -304,6 +305,7 @@ func compareReports(t *testing.T, wantFile, gotFile string, override func(t *tes
if override != nil {
override(t, &want, &got)
}
assert.Equal(t, want, got)
}

9
integration/repo_test.go
View File

@@ -145,6 +145,15 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/pnpm.json.golden",
},
{
name: "bun",
args: args{
scanner: types.VulnerabilityScanner,
input: "testdata/fixtures/repo/bun",
listAllPkgs: true,
},
golden: "testdata/bun.json.golden",
},
{
name: "pip",
args: args{

2
integration/standalone_tar_test.go
View File

@@ -588,7 +588,7 @@ cache:
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
configPath := filepath.Join(t.TempDir(), "trivy.yaml")
err := os.WriteFile(configPath, []byte(tt.configFile), 0600)
err := os.WriteFile(configPath, []byte(tt.configFile), 0o600)
require.NoError(t, err)
osArgs := []string{

4
integration/testdata/alpine-39-high-critical.json.golden vendored
View File

@@ -68,7 +68,7 @@
"PkgName": "musl",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "d6abd271e71d3ce2"
"UID": "aae058383ba5a25e"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
@@ -114,7 +114,7 @@
"PkgName": "musl-utils",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "a35dd6cab4aabdf1"
"UID": "4089d29c2d05b72d"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",

4
integration/testdata/alpine-39.json.golden vendored
View File

@@ -380,7 +380,7 @@
"PkgName": "musl",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "d6abd271e71d3ce2"
"UID": "aae058383ba5a25e"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
@@ -426,7 +426,7 @@
"PkgName": "musl-utils",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4",
"UID": "a35dd6cab4aabdf1"
"UID": "4089d29c2d05b72d"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",

196
integration/testdata/bun.json.golden vendored Normal file
View File

@@ -0,0 +1,196 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/bun",
"ArtifactType": "repository",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "bun.lock",
"Class": "lang-pkgs",
"Type": "bun",
"Packages": [
{
"ID": "jquery@3.3.1",
"Name": "jquery",
"Identifier": {
"PURL": "pkg:npm/jquery@3.3.1",
"UID": "996607b7a767641"
},
"Version": "3.3.1",
"Relationship": "direct",
"Layer": {},
"Locations": [
{
"StartLine": 24,
"EndLine": 24
}
]
},
{
"ID": "typescript@5.8.3",
"Name": "typescript",
"Identifier": {
"PURL": "pkg:npm/typescript@5.8.3",
"UID": "dc420153a1d93546"
},
"Version": "5.8.3",
"Relationship": "direct",
"Layer": {},
"Locations": [
{
"StartLine": 26,
"EndLine": 26
}
]
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-11358",
"PkgID": "jquery@3.3.1",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.1",
"UID": "996607b7a767641"
},
"InstalledVersion": "3.3.1",
"FixedVersion": "3.4.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
"Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"VendorSeverity": {
"alma": 2,
"amazon": 2,
"arch-linux": 2,
"ghsa": 2,
"nodejs-security-wg": 2,
"nvd": 2,
"oracle-oval": 2,
"redhat": 2,
"ruby-advisory-db": 2,
"ubuntu": 1
},
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
},
"redhat": {
"V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"V3Score": 5.6
}
},
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html",
"http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html",
"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html",
"http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html",
"http://seclists.org/fulldisclosure/2019/May/10",
"http://seclists.org/fulldisclosure/2019/May/11",
"http://seclists.org/fulldisclosure/2019/May/13",
"http://www.openwall.com/lists/oss-security/2019/06/03/2",
"http://www.securityfocus.com/bid/108023",
"https://access.redhat.com/errata/RHBA-2019:1570",
"https://access.redhat.com/errata/RHSA-2019:1456",
"https://access.redhat.com/errata/RHSA-2019:2587",
"https://access.redhat.com/errata/RHSA-2019:3023",
"https://access.redhat.com/errata/RHSA-2019:3024",
"https://access.redhat.com/security/cve/CVE-2019-11358",
"https://backdropcms.org/security/backdrop-sa-core-2019-009",
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
"https://github.com/DanielRuf/snyk-js-jquery-174006?files=1",
"https://github.com/advisories/GHSA-6c3j-c64m-qhgq",
"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
"https://github.com/jquery/jquery/pull/4333",
"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434",
"https://hackerone.com/reports/454365",
"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601",
"https://linux.oracle.com/cve/CVE-2019-11358.html",
"https://linux.oracle.com/errata/ELSA-2020-4847.html",
"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E",
"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E",
"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E",
"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E",
"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E",
"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E",
"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E",
"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E",
"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E",
"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E",
"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html",
"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html",
"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5/",
"https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"https://seclists.org/bugtraq/2019/Apr/32",
"https://seclists.org/bugtraq/2019/Jun/12",
"https://seclists.org/bugtraq/2019/May/18",
"https://security.netapp.com/advisory/ntap-20190919-0001/",
"https://snyk.io/vuln/SNYK-JS-JQUERY-174006",
"https://www.debian.org/security/2019/dsa-4434",
"https://www.debian.org/security/2019/dsa-4460",
"https://www.drupal.org/sa-core-2019-006",
"https://www.oracle.com//security-alerts/cpujul2021.html",
"https://www.oracle.com/security-alerts/cpuApr2021.html",
"https://www.oracle.com/security-alerts/cpuapr2020.html",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html",
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/",
"https://www.synology.com/security/advisory/Synology_SA_19_19",
"https://www.tenable.com/security/tns-2019-08",
"https://www.tenable.com/security/tns-2020-02"
],
"PublishedDate": "2019-04-20T00:29:00Z",
"LastModifiedDate": "2021-10-20T11:15:00Z"
}
]
}
]
}

36
integration/testdata/dockerfile-custom-policies.json.golden vendored
View File

@@ -21,46 +21,52 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 28,
"Successes": 27,
"Failures": 2
},
"Misconfigurations": [
{
"Type": "Dockerfile Security Check",
"ID": "N/A",
"Title": "N/A",
"Description": "Rego module: data.user.bar",
"ID": "AVD-BAR-0001",
"AVDID": "AVD-BAR-0001",
"Title": "Custom policy",
"Description": "Custom policy for testing",
"Message": "something bad: bar",
"Namespace": "user.bar",
"Query": "data.user.bar.deny",
"Severity": "UNKNOWN",
"Resolution": "Custom policy for testing",
"Severity": "LOW",
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Generic",
"Service": "general",
"Provider": "Custom",
"Service": "custom",
"Code": {
"Lines": null
}
},
"RenderedCause": {}
}
},
{
"Type": "Dockerfile Security Check",
"ID": "N/A",
"Title": "N/A",
"Description": "Rego module: data.user.foo",
"ID": "AVD-FOO-0001",
"AVDID": "AVD-FOO-0001",
"Title": "Custom policy",
"Description": "Custom policy for testing",
"Message": "something bad: foo",
"Namespace": "user.foo",
"Query": "data.user.foo.deny",
"Severity": "UNKNOWN",
"Resolution": "Custom policy for testing",
"Severity": "LOW",
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Generic",
"Service": "general",
"Provider": "Custom",
"Service": "custom",
"Code": {
"Lines": null
}
},
"RenderedCause": {}
}
}
]

5
integration/testdata/dockerfile.json.golden vendored
View File

@@ -21,7 +21,7 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 27,
"Successes": 26,
"Failures": 1
},
"Misconfigurations": [
@@ -48,7 +48,8 @@
"Service": "general",
"Code": {
"Lines": null
}
},
"RenderedCause": {}
}
}
]

5
integration/testdata/dockerfile_file_pattern.json.golden vendored
View File

@@ -21,7 +21,7 @@
"Class": "config",
"Type": "dockerfile",
"MisconfSummary": {
"Successes": 27,
"Successes": 26,
"Failures": 1
},
"Misconfigurations": [
@@ -48,7 +48,8 @@
"Service": "general",
"Code": {
"Lines": null
}
},
"RenderedCause": {}
}
}
]

30
integration/testdata/fixtures/repo/bun/bun.lock vendored Normal file
View File

@@ -0,0 +1,30 @@
{
"lockfileVersion": 1,
"workspaces": {
"": {
"name": "buntest",
"dependencies": {
"jquery": "3.3.1",
},
"devDependencies": {
"@types/bun": "latest",
},
"peerDependencies": {
"typescript": "^5",
},
},
},
"packages": {
"@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="],
"@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="],
"bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="],
"jquery": ["jquery@3.3.1", "", {}, "sha512-Ubldcmxp5np52/ENotGxlLe6aGMvmF4R8S6tZjsP6Knsaxd/xp3Zrh50cG93lR6nPXyUFwzN3ZSOQI0wRJNdGg=="],
"typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
"undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
}
}

14
integration/testdata/fixtures/repo/custom-policy/policy/bar.rego vendored
View File

@@ -1,3 +1,17 @@
# METADATA
# title: Custom policy
# description: Custom policy for testing
# scope: package
# schemas:
# - input: schema["input"]
# custom:
# id: AVD-BAR-0001
# avd_id: AVD-BAR-0001
# provider: custom
# service: custom
# severity: LOW
# short_code: custom-policy
# recommended_action: Custom policy for testing
package user.bar
deny[res] {

14
integration/testdata/fixtures/repo/custom-policy/policy/foo.rego vendored
View File

@@ -1,3 +1,17 @@
# METADATA
# title: Custom policy
# description: Custom policy for testing
# scope: package
# schemas:
# - input: schema["input"]
# custom:
# id: AVD-FOO-0001
# avd_id: AVD-FOO-0001
# provider: custom
# service: custom
# severity: LOW
# short_code: custom-policy
# recommended_action: Custom policy for testing
package user.foo
deny[res] {

334
integration/testdata/helm.json.golden vendored
View File

@@ -22,7 +22,7 @@
"Type": "helm",
"MisconfSummary": {
"Successes": 78,
"Failures": 20
"Failures": 18
},
"Misconfigurations": [
{
@@ -865,213 +865,6 @@
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV032",
"AVDID": "AVD-KSV-0032",
"Title": "All container images must start with the *.azurecr.io domain",
"Description": "Containers should only use images from trusted registries.",
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
"Namespace": "builtin.kubernetes.KSV032",
"Query": "data.builtin.kubernetes.KSV032.deny",
"Resolution": "Use images from trusted Azure registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
"References": [
"https://avd.aquasec.com/misconfig/ksv032"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV033",
"AVDID": "AVD-KSV-0033",
"Title": "All container images must start with a GCR domain",
"Description": "Containers should only use images from trusted GCR registries.",
"Message": "container nginx of deployment nginx-deployment in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
"Namespace": "builtin.kubernetes.KSV033",
"Query": "data.builtin.kubernetes.KSV033.deny",
"Resolution": "Use images from trusted GCR registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
"References": [
"https://avd.aquasec.com/misconfig/ksv033"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV035",
"AVDID": "AVD-KSV-0035",
"Title": "All container images must start with an ECR domain",
"Description": "Container images from non-ECR registries should be forbidden.",
"Message": "Container 'nginx' of Deployment 'nginx-deployment' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
"Namespace": "builtin.kubernetes.KSV035",
"Query": "data.builtin.kubernetes.KSV035.deny",
"Resolution": "Container image should be used from Amazon container Registry",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
"References": [
"https://avd.aquasec.com/misconfig/ksv035"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV104",
@@ -1321,8 +1114,131 @@
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 19,
"EndLine": 22,
"Code": {
"Lines": null
"Lines": [
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": true,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "deployment nginx-deployment in default namespace is using the default security context, which allows root privileges",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 18,
"EndLine": 22,
"Code": {
"Lines": [
{
"Number": 18,
"Content": " containers:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:",
"FirstCause": true,
"LastCause": false
},
{
"Number": 19,
"Content": " - name: nginx",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: nginx",
"FirstCause": false,
"LastCause": false
},
{
"Number": 20,
"Content": " image: nginx:1.14.2",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mimage\u001b[0m: nginx:1.14.2",
"FirstCause": false,
"LastCause": false
},
{
"Number": 21,
"Content": " ports:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mports\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 22,
"Content": " - containerPort: 80",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mcontainerPort\u001b[0m: \u001b[38;5;37m80\u001b[0m",
"FirstCause": false,
"LastCause": true
}
]
},
"RenderedCause": {}
}

517
integration/testdata/helm_testchart.json.golden vendored
View File

@@ -21,8 +21,8 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 90,
"Failures": 8
"Successes": 89,
"Failures": 6
},
"Misconfigurations": [
{
@@ -283,390 +283,6 @@
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV032",
"AVDID": "AVD-KSV-0032",
"Title": "All container images must start with the *.azurecr.io domain",
"Description": "Containers should only use images from trusted registries.",
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
"Namespace": "builtin.kubernetes.KSV032",
"Query": "data.builtin.kubernetes.KSV032.deny",
"Resolution": "Use images from trusted Azure registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
"References": [
"https://avd.aquasec.com/misconfig/ksv032"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV033",
"AVDID": "AVD-KSV-0033",
"Title": "All container images must start with a GCR domain",
"Description": "Containers should only use images from trusted GCR registries.",
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
"Namespace": "builtin.kubernetes.KSV033",
"Query": "data.builtin.kubernetes.KSV033.deny",
"Resolution": "Use images from trusted GCR registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
"References": [
"https://avd.aquasec.com/misconfig/ksv033"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV035",
"AVDID": "AVD-KSV-0035",
"Title": "All container images must start with an ECR domain",
"Description": "Container images from non-ECR registries should be forbidden.",
"Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
"Namespace": "builtin.kubernetes.KSV035",
"Query": "data.builtin.kubernetes.KSV035.deny",
"Resolution": "Container image should be used from Amazon container Registry",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
"References": [
"https://avd.aquasec.com/misconfig/ksv035"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV104",
@@ -923,6 +539,135 @@
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "deployment testchart in default namespace is using the default security context, which allows root privileges",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 24,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 24,
"Content": " serviceAccountName: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mserviceAccountName\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 25,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 26,
"Content": " {}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " {}",
"FirstCause": false,
"LastCause": false
},
{
"Number": 27,
"Content": " containers:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": true
},
{
"Number": 33,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
}
]
},

517
integration/testdata/helm_testchart.overridden.json.golden vendored
View File

@@ -21,8 +21,8 @@
"Class": "config",
"Type": "helm",
"MisconfSummary": {
"Successes": 88,
"Failures": 10
"Successes": 87,
"Failures": 8
},
"Misconfigurations": [
{
@@ -412,390 +412,6 @@
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV032",
"AVDID": "AVD-KSV-0032",
"Title": "All container images must start with the *.azurecr.io domain",
"Description": "Containers should only use images from trusted registries.",
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. For Azure any domain ending in 'azurecr.io'",
"Namespace": "builtin.kubernetes.KSV032",
"Query": "data.builtin.kubernetes.KSV032.deny",
"Resolution": "Use images from trusted Azure registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv032",
"References": [
"https://avd.aquasec.com/misconfig/ksv032"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV033",
"AVDID": "AVD-KSV-0033",
"Title": "All container images must start with a GCR domain",
"Description": "Containers should only use images from trusted GCR registries.",
"Message": "container testchart of deployment testchart in default namespace should restrict container image to your specific registry domain. See the full GCR list here: https://cloud.google.com/container-registry/docs/overview#registries",
"Namespace": "builtin.kubernetes.KSV033",
"Query": "data.builtin.kubernetes.KSV033.deny",
"Resolution": "Use images from trusted GCR registries.",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv033",
"References": [
"https://avd.aquasec.com/misconfig/ksv033"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV035",
"AVDID": "AVD-KSV-0035",
"Title": "All container images must start with an ECR domain",
"Description": "Container images from non-ECR registries should be forbidden.",
"Message": "Container 'testchart' of Deployment 'testchart' should restrict images to own ECR repository. See the full ECR list here: https://docs.aws.amazon.com/general/latest/gr/ecr.html",
"Namespace": "builtin.kubernetes.KSV035",
"Query": "data.builtin.kubernetes.KSV035.deny",
"Resolution": "Container image should be used from Amazon container Registry",
"Severity": "MEDIUM",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv035",
"References": [
"https://avd.aquasec.com/misconfig/ksv035"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 28,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": false
},
{
"Number": 33,
"Content": " readOnlyRootFilesystem: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mreadOnlyRootFilesystem\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 34,
"Content": " runAsGroup: 10001",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsGroup\u001b[0m: \u001b[38;5;37m10001",
"FirstCause": false,
"LastCause": false
},
{
"Number": 35,
"Content": " runAsNonRoot: true",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsNonRoot\u001b[0m: \u001b[38;5;166mtrue",
"FirstCause": false,
"LastCause": false
},
{
"Number": 36,
"Content": " runAsUser: 0",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": "\u001b[0m \u001b[38;5;33mrunAsUser\u001b[0m: \u001b[38;5;37m0",
"FirstCause": false,
"LastCause": true
},
{
"Number": 37,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV104",
@@ -1152,6 +768,135 @@
},
"RenderedCause": {}
}
},
{
"Type": "Helm Security Check",
"ID": "KSV118",
"AVDID": "AVD-KSV-0118",
"Title": "Default security context configured",
"Description": "Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access.",
"Message": "deployment testchart in default namespace is using the default security context, which allows root privileges",
"Namespace": "builtin.kubernetes.KSV118",
"Query": "data.builtin.kubernetes.KSV118.deny",
"Resolution": "To enhance security, it is strongly recommended not to rely on the default security context. Instead, it is advisable to explicitly define the required security parameters (such as runAsNonRoot, capabilities, readOnlyRootFilesystem, etc.) within the security context.",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/ksv118",
"References": [
"https://kubernetes.io/docs/tasks/configure-pod-container/security-context/",
"https://avd.aquasec.com/misconfig/ksv118"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Provider": "Kubernetes",
"Service": "general",
"StartLine": 24,
"EndLine": 57,
"Code": {
"Lines": [
{
"Number": 24,
"Content": " serviceAccountName: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mserviceAccountName\u001b[0m: testchart",
"FirstCause": true,
"LastCause": false
},
{
"Number": 25,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 26,
"Content": " {}",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " {}",
"FirstCause": false,
"LastCause": false
},
{
"Number": 27,
"Content": " containers:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcontainers\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 28,
"Content": " - name: testchart",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - \u001b[38;5;33mname\u001b[0m: testchart",
"FirstCause": false,
"LastCause": false
},
{
"Number": 29,
"Content": " securityContext:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33msecurityContext\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 30,
"Content": " capabilities:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mcapabilities\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 31,
"Content": " drop:",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " \u001b[38;5;33mdrop\u001b[0m:",
"FirstCause": false,
"LastCause": false
},
{
"Number": 32,
"Content": " - ALL",
"IsCause": true,
"Annotation": "",
"Truncated": false,
"Highlighted": " - ALL",
"FirstCause": false,
"LastCause": true
},
{
"Number": 33,
"Content": "",
"IsCause": false,
"Annotation": "",
"Truncated": true,
"FirstCause": false,
"LastCause": false
}
]
},
"RenderedCause": {}
}
}
]
},

16
integration/testdata/julia-spdx.json.golden vendored
View File

@@ -3,7 +3,7 @@
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "testdata/fixtures/repo/julia",
"documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/julia-3ff14136-e09f-4df9-80ea-000000000006",
"documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/julia-3ff14136-e09f-4df9-80ea-000000000007",
"creationInfo": {
"creators": [
"Organization: aquasecurity",
@@ -35,7 +35,7 @@
},
{
"name": "A",
"SPDXID": "SPDXRef-Package-7784b00da0cb0cb0",
"SPDXID": "SPDXRef-Package-761ce79b41d8f121",
"versionInfo": "1.9.0",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
@@ -68,7 +68,7 @@
},
{
"name": "B",
"SPDXID": "SPDXRef-Package-960543ac5c5f7e10",
"SPDXID": "SPDXRef-Package-28f04edc422602a",
"versionInfo": "1.9.0",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
@@ -101,7 +101,7 @@
},
{
"name": "B",
"SPDXID": "SPDXRef-Package-a4705eb108e4f15c",
"SPDXID": "SPDXRef-Package-6e0b0d1825d8c02c",
"versionInfo": "1.9.0",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
@@ -151,12 +151,12 @@
"relationships": [
{
"spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
"relatedSpdxElement": "SPDXRef-Package-7784b00da0cb0cb0",
"relatedSpdxElement": "SPDXRef-Package-6e0b0d1825d8c02c",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
"relatedSpdxElement": "SPDXRef-Package-a4705eb108e4f15c",
"relatedSpdxElement": "SPDXRef-Package-761ce79b41d8f121",
"relationshipType": "CONTAINS"
},
{
@@ -170,8 +170,8 @@
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-7784b00da0cb0cb0",
"relatedSpdxElement": "SPDXRef-Package-960543ac5c5f7e10",
"spdxElementId": "SPDXRef-Package-761ce79b41d8f121",
"relatedSpdxElement": "SPDXRef-Package-28f04edc422602a",
"relationshipType": "DEPENDS_ON"
}
]

2
internal/dbtest/db.go
View File

@@ -21,7 +21,7 @@ func InitDB(t *testing.T, fixtureFiles []string) string {
dbDir := db.Dir(cacheDir)
dbPath := trivydb.Path(dbDir)
err := os.MkdirAll(dbDir, 0700)
err := os.MkdirAll(dbDir, 0o700)
require.NoError(t, err)
// Load testdata into BoltDB

4
internal/testutil/fs.go
View File

@@ -65,7 +65,7 @@ func MustReadYAML(t *testing.T, path string, out any) {
}
func MustMkdirAll(t *testing.T, dir string) {
err := os.MkdirAll(dir, 0750)
err := os.MkdirAll(dir, 0o750)
require.NoError(t, err)
}
@@ -87,6 +87,6 @@ func MustWriteFile(t *testing.T, filePath string, content []byte) {
dir := filepath.Dir(filePath)
MustMkdirAll(t, dir)
err := os.WriteFile(filePath, content, 0600)
err := os.WriteFile(filePath, content, 0o600)
require.NoError(t, err)
}

14
magefiles/fixture.go
View File

@@ -23,7 +23,7 @@ var auth = crane.WithAuthFromKeychain(authn.NewMultiKeychain(authn.DefaultKeycha
func fixtureContainerImages() error {
var testImages = testutil.ImageName("", "", "")
if err := os.MkdirAll(dir, 0750); err != nil {
if err := os.MkdirAll(dir, 0o750); err != nil {
return err
}
tags, err := crane.ListTags(testImages, auth)
@@ -38,10 +38,7 @@ func fixtureContainerImages() error {
}
// Save trivy-test-images/containerd image
if err := saveImage("containerd", "latest"); err != nil {
return err
}
return nil
return saveImage("containerd", "latest")
}
func saveImage(subpath, tag string) error {
@@ -65,10 +62,7 @@ func saveImage(subpath, tag string) error {
if err = crane.Save(img, imgName, tarPath); err != nil {
return err
}
if err = sh.Run("gzip", tarPath); err != nil {
return err
}
return nil
return sh.Run("gzip", tarPath)
}
func fixtureVMImages() error {
@@ -77,7 +71,7 @@ func fixtureVMImages() error {
titleAnnotation = "org.opencontainers.image.title"
dir = "integration/testdata/fixtures/vm-images/"
)
if err := os.MkdirAll(dir, 0750); err != nil {
if err := os.MkdirAll(dir, 0o750); err != nil {
return err
}
tags, err := crane.ListTags(testVMImages, auth)

2
magefiles/helm_test.go
View File

@@ -78,7 +78,7 @@ keywords:
- trivy
- vulnerability
`
err = os.WriteFile(tempFile.Name(), []byte(content), 0644)
err = os.WriteFile(tempFile.Name(), []byte(content), 0o644)
assert.NoError(t, err)
newVersion, err := bumpHelmChart(tempFile.Name(), "0.55.1")

10
magefiles/magefile.go
View File

@@ -189,19 +189,13 @@ func (Test) FixtureTerraformPlanSnapshots() error {
// GenerateModules compiles WASM modules for unit tests
func (Test) GenerateModules() error {
pattern := filepath.Join("pkg", "module", "testdata", "*", "*.go")
if err := compileWasmModules(pattern); err != nil {
return err
}
return nil
return compileWasmModules(pattern)
}
// GenerateExampleModules compiles example Wasm modules for integration tests
func (Test) GenerateExampleModules() error {
pattern := filepath.Join("examples", "module", "*", "*.go")
if err := compileWasmModules(pattern); err != nil {
return err
}
return nil
return compileWasmModules(pattern)
}
// UpdateGolden updates golden files for integration tests

2
magefiles/schema.go
View File

@@ -45,7 +45,7 @@ func GenSchema() error {
if err != nil {
return err
}
if err := os.WriteFile(schemaPath, data, 0600); err != nil {
if err := os.WriteFile(schemaPath, data, 0o600); err != nil {
return err
}
return nil

7
mkdocs.yml
View File

@@ -54,6 +54,7 @@ nav:
- Vulnerability: docs/scanner/vulnerability.md
- Misconfiguration:
- Overview: docs/scanner/misconfiguration/index.md
- Configuration: docs/scanner/misconfiguration/config/config.md
- Policy:
- Built-in Checks: docs/scanner/misconfiguration/check/builtin.md
- Custom Checks:
@@ -75,9 +76,12 @@ nav:
- Alpine Linux: docs/coverage/os/alpine.md
- Amazon Linux: docs/coverage/os/amazon.md
- Azure Linux (CBL-Mariner): docs/coverage/os/azure.md
- Bottlerocket: docs/coverage/os/bottlerocket.md
- CentOS: docs/coverage/os/centos.md
- Chainguard: docs/coverage/os/chainguard.md
- Debian: docs/coverage/os/debian.md
- Echo: docs/coverage/os/echo.md
- MinimOS: docs/coverage/os/minimos.md
- Oracle Linux: docs/coverage/os/oracle.md
- Photon OS: docs/coverage/os/photon.md
- Red Hat: docs/coverage/os/rhel.md
@@ -118,7 +122,7 @@ nav:
- Configuration:
- Overview: docs/configuration/index.md
- Filtering: docs/configuration/filtering.md
- Skipping Files: docs/configuration/skipping.md
- Selecting Files: docs/configuration/skipping.md
- Reporting: docs/configuration/reporting.md
- Cache: docs/configuration/cache.md
- Databases: docs/configuration/db.md
@@ -156,6 +160,7 @@ nav:
- GCR (Google Container Registry): docs/advanced/private-registries/gcr.md
- ACR (Azure Container Registry): docs/advanced/private-registries/acr.md
- Self-Hosted: docs/advanced/private-registries/self.md
- Usage Telemetry: docs/advanced/telemetry.md
- References:
- Configuration:
- CLI:

4
pkg/cache/fs.go vendored
View File

@@ -21,11 +21,11 @@ type FSCache struct {
func NewFSCache(cacheDir string) (FSCache, error) {
dir := filepath.Join(cacheDir, scanCacheDirName)
if err := os.MkdirAll(dir, 0700); err != nil {
if err := os.MkdirAll(dir, 0o700); err != nil {
return FSCache{}, xerrors.Errorf("failed to create cache dir: %w", err)
}
db, err := bolt.Open(filepath.Join(dir, "fanal.db"), 0600, nil)
db, err := bolt.Open(filepath.Join(dir, "fanal.db"), 0o600, nil)
if err != nil {
return FSCache{}, xerrors.Errorf("unable to open DB: %w", err)
}

2
pkg/cache/fs_test.go vendored
View File

@@ -20,7 +20,7 @@ func newTempDB(t *testing.T, dbPath string) (string, error) {
dir := t.TempDir()
if dbPath != "" {
d := filepath.Join(dir, "fanal")
if err := os.MkdirAll(d, 0700); err != nil {
if err := os.MkdirAll(d, 0o700); err != nil {
return "", err
}

19
pkg/commands/app.go
View File

@@ -252,7 +252,7 @@ func NewImageCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup.ReportFormat = report
compliance := flag.ComplianceFlag.Clone()
compliance.Values = []string{types.ComplianceDockerCIS160}
compliance.Usage = fmt.Sprintf("%s (built-in compliance's: %s)", compliance.Usage, types.ComplianceDockerCIS160)
reportFlagGroup.Compliance = compliance // override usage as the accepted values differ for each subcommand.
packageFlagGroup := flag.NewPackageFlagGroup()
@@ -995,18 +995,15 @@ func NewKubernetesCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
imageFlags := &flag.ImageFlagGroup{ImageSources: flag.SourceFlag.Clone()}
reportFlagGroup := flag.NewReportFlagGroup()
reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
reportFlagGroup.TableMode = nil // disable '--table-mode's
compliance := flag.ComplianceFlag.Clone()
compliance.Values = []string{
types.ComplianceK8sNsa10,
types.ComplianceK8sCIS123,
types.ComplianceEksCIS14,
types.ComplianceRke2CIS124,
types.ComplianceK8sPSSBaseline01,
types.ComplianceK8sPSSRestricted01,
var compliances string
for _, val := range types.BuiltInK8sCompiances {
compliances += fmt.Sprintf("\n - %s", val)
}
compliance.Usage = fmt.Sprintf("%s\nBuilt-in compliance's:%s", compliance.Usage, compliances)
reportFlagGroup.Compliance = compliance // override usage as the accepted values differ for each subcommand.
reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
reportFlagGroup.TableMode = nil // disable '--table-mode'
formatFlag := flag.FormatFlag.Clone()
formatFlag.Values = xstrings.ToStringSlice([]types.Format{
@@ -1172,6 +1169,8 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
scanFlagGroup := flag.NewScanFlagGroup()
scanFlagGroup.Scanners = scanners // allow only 'vuln' and 'license' options for '--scanners'
scanFlagGroup.Parallel = nil // disable '--parallel'
scanFlagGroup.SkipFiles = nil // disable `--skip-files` since `sbom` command only supports scanning one file.
scanFlagGroup.SkipDirs = nil // disable `--skip-dirs` since `sbom` command only supports scanning one file.
licenseFlagGroup := flag.NewLicenseFlagGroup()
// License full-scan and confidence-level are for file content only

23
pkg/commands/artifact/run.go
View File

@@ -26,6 +26,7 @@ import (
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/misconf"
"github.com/aquasecurity/trivy/pkg/module"
"github.com/aquasecurity/trivy/pkg/notification"
"github.com/aquasecurity/trivy/pkg/policy"
pkgReport "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/result"
@@ -92,6 +93,7 @@ type Runner interface {
type runner struct {
initializeScanService InitializeScanService
versionChecker *notification.VersionChecker
dbOpen bool
// WASM modules
@@ -116,6 +118,13 @@ func NewRunner(ctx context.Context, cliOptions flag.Options, opts ...RunnerOptio
opt(r)
}
// If the user has not disabled notices or is running in quiet mode
r.versionChecker = notification.NewVersionChecker(
notification.WithSkipVersionCheck(cliOptions.SkipVersionCheck),
notification.WithQuietMode(cliOptions.Quiet),
notification.WithTelemetryDisabled(cliOptions.DisableTelemetry),
)
// Update the vulnerability database if needed.
if err := r.initDB(ctx, cliOptions); err != nil {
return nil, xerrors.Errorf("DB error: %w", err)
@@ -137,6 +146,13 @@ func NewRunner(ctx context.Context, cliOptions flag.Options, opts ...RunnerOptio
m.Register()
r.module = m
// Make a silent attempt to check for updates in the background
// only do this if the user has not disabled notices or is running
// in quiet mode
if r.versionChecker != nil {
r.versionChecker.RunUpdateCheck(ctx, os.Args[1:])
}
return r, nil
}
@@ -152,6 +168,12 @@ func (r *runner) Close(ctx context.Context) error {
if err := r.module.Close(ctx); err != nil {
errs = multierror.Append(errs, err)
}
// silently check if there is notifications
if r.versionChecker != nil {
r.versionChecker.PrintNotices(os.Stderr)
}
return errs
}
@@ -703,6 +725,7 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
DisableEmbeddedLibraries: disableEmbedded,
IncludeDeprecatedChecks: opts.IncludeDeprecatedChecks,
TfExcludeDownloaded: opts.TfExcludeDownloaded,
RawConfigScanners: opts.RawConfigScanners,
FilePatterns: opts.FilePatterns,
ConfigFileSchemas: configSchemas,
SkipFiles: opts.SkipFiles,

2
pkg/commands/auth/run_test.go
View File

@@ -120,7 +120,7 @@ func TestLogout(t *testing.T) {
t.Run("success", func(t *testing.T) {
configFile := filepath.Join(tmpDir, "config.json")
err := os.WriteFile(configFile, []byte(`{"auths": {"auth.test": {"auth": "dXNlcjpwYXNz"}}}`), 0600)
err := os.WriteFile(configFile, []byte(`{"auths": {"auth.test": {"auth": "dXNlcjpwYXNz"}}}`), 0o600)
require.NoError(t, err)
err = auth.Logout(t.Context(), "auth.test")

4
pkg/commands/clean/run_test.go
View File

@@ -152,11 +152,11 @@ func createTestFiles(t *testing.T, dir string) {
"vex",
}
for _, subdir := range subdirs {
err := os.MkdirAll(filepath.Join(dir, subdir), 0755)
err := os.MkdirAll(filepath.Join(dir, subdir), 0o755)
require.NoError(t, err)
testFile := filepath.Join(dir, subdir, "testfile.txt")
err = os.WriteFile(testFile, []byte("test content"), 0644)
err = os.WriteFile(testFile, []byte("test content"), 0o644)
require.NoError(t, err)
}
}

18
pkg/db/db.go
View File

@@ -110,9 +110,18 @@ func (c *Client) NeedsUpdate(ctx context.Context, cliVersion string, skip bool)
meta = metadata.Metadata{Version: db.SchemaVersion}
}
// There are 2 cases when DownloadAt field is zero:
// - trivy-db was downloaded with `oras`. In this case user can use `--skip-db-update` (like for air-gapped) or re-download trivy-db.
// - trivy-db was corrupted while copying from tmp directory to cache directory. We should update this trivy-db.
// We can't detect these cases, so we will show warning for users who use oras + air-gapped.
if meta.DownloadedAt.IsZero() && !skip {
log.WarnContext(ctx, "Trivy DB may be corrupted and will be re-downloaded. If you manually downloaded DB - use the `--skip-db-update` flag to skip updating DB.")
return true, nil
}
if skip && noRequiredFiles {
log.ErrorContext(ctx, "The first run cannot skip downloading DB")
return false, xerrors.New("--skip-update cannot be specified on the first run")
return false, xerrors.New("--skip-db-update cannot be specified on the first run")
}
if db.SchemaVersion < meta.Version {
@@ -141,7 +150,7 @@ func (c *Client) NeedsUpdate(ctx context.Context, cliVersion string, skip bool)
func (c *Client) validate(meta metadata.Metadata) error {
if db.SchemaVersion != meta.Version {
log.Error("The local DB has an old schema version which is not supported by the current version of Trivy CLI. DB needs to be updated.")
return xerrors.Errorf("--skip-update cannot be specified with the old DB schema. Local DB: %d, Expected: %d",
return xerrors.Errorf("--skip-db-update cannot be specified with the old DB schema. Local DB: %d, Expected: %d",
meta.Version, db.SchemaVersion)
}
return nil
@@ -163,11 +172,6 @@ func (c *Client) isNewDB(ctx context.Context, meta metadata.Metadata) bool {
// Download downloads the DB file
func (c *Client) Download(ctx context.Context, dst string, opt types.RegistryOptions) error {
// Remove the metadata file under the cache directory before downloading DB
if err := c.metadata.Delete(); err != nil {
log.DebugContext(ctx, "No metadata file")
}
if err := c.downloadDB(ctx, opt, dst); err != nil {
return xerrors.Errorf("OCI artifact error: %w", err)
}

72
pkg/db/db_test.go
View File

@@ -19,6 +19,8 @@ func TestClient_NeedsUpdate(t *testing.T) {
timeNextUpdateDay1 := time.Date(2019, 9, 1, 0, 0, 0, 0, time.UTC)
timeNextUpdateDay2 := time.Date(2019, 10, 2, 0, 0, 0, 0, time.UTC)
timeDownloadAt := time.Date(2019, 9, 30, 22, 30, 0, 0, time.UTC)
tests := []struct {
name string
skip bool
@@ -57,11 +59,12 @@ func TestClient_NeedsUpdate(t *testing.T) {
want: true,
},
{
name: "happy path with --skip-update",
name: "happy path with --skip-db-update",
dbFileExists: true,
metadata: metadata.Metadata{
Version: db.SchemaVersion,
NextUpdate: timeNextUpdateDay1,
Version: db.SchemaVersion,
NextUpdate: timeNextUpdateDay1,
DownloadedAt: timeDownloadAt,
},
skip: true,
want: false,
@@ -70,8 +73,9 @@ func TestClient_NeedsUpdate(t *testing.T) {
name: "skip downloading DB",
dbFileExists: true,
metadata: metadata.Metadata{
Version: db.SchemaVersion,
NextUpdate: timeNextUpdateDay2,
Version: db.SchemaVersion,
NextUpdate: timeNextUpdateDay2,
DownloadedAt: timeDownloadAt,
},
want: false,
},
@@ -79,34 +83,36 @@ func TestClient_NeedsUpdate(t *testing.T) {
name: "newer schema version",
dbFileExists: true,
metadata: metadata.Metadata{
Version: db.SchemaVersion + 1,
NextUpdate: timeNextUpdateDay2,
Version: db.SchemaVersion + 1,
NextUpdate: timeNextUpdateDay2,
DownloadedAt: timeDownloadAt,
},
wantErr: fmt.Sprintf("the version of DB schema doesn't match. Local DB: %d, Expected: %d",
db.SchemaVersion+1, db.SchemaVersion),
},
{
name: "--skip-update without trivy.db on the first run",
name: "--skip-db-update without trivy.db on the first run",
dbFileExists: false,
skip: true,
wantErr: "--skip-update cannot be specified on the first run",
wantErr: "--skip-db-update cannot be specified on the first run",
},
{
name: "--skip-update without metadata.json on the first run",
name: "--skip-db-update without metadata.json on the first run",
dbFileExists: true,
metadata: metadata.Metadata{},
skip: true,
wantErr: "--skip-update cannot be specified on the first run",
wantErr: "--skip-db-update cannot be specified on the first run",
},
{
name: "--skip-update with different schema version",
name: "--skip-db-update with different schema version",
dbFileExists: true,
metadata: metadata.Metadata{
Version: 0,
NextUpdate: timeNextUpdateDay1,
Version: 0,
NextUpdate: timeNextUpdateDay1,
DownloadedAt: timeDownloadAt,
},
skip: true,
wantErr: fmt.Sprintf("--skip-update cannot be specified with the old DB schema. Local DB: %d, Expected: %d",
wantErr: fmt.Sprintf("--skip-db-update cannot be specified with the old DB schema. Local DB: %d, Expected: %d",
0, db.SchemaVersion),
},
{
@@ -115,7 +121,7 @@ func TestClient_NeedsUpdate(t *testing.T) {
metadata: metadata.Metadata{
Version: db.SchemaVersion,
NextUpdate: timeNextUpdateDay1,
DownloadedAt: time.Date(2019, 9, 30, 22, 30, 0, 0, time.UTC),
DownloadedAt: timeDownloadAt,
},
want: true,
},
@@ -129,6 +135,40 @@ func TestClient_NeedsUpdate(t *testing.T) {
},
want: false,
},
{
name: "DownloadedAt is zero, skip is false",
dbFileExists: true,
skip: false,
metadata: metadata.Metadata{
Version: db.SchemaVersion,
DownloadedAt: time.Time{}, // zero time
NextUpdate: timeNextUpdateDay1,
},
want: true,
},
{
name: "DownloadedAt is zero, skip is true",
dbFileExists: true,
skip: true,
metadata: metadata.Metadata{
Version: db.SchemaVersion,
DownloadedAt: time.Time{}, // zero time
NextUpdate: timeNextUpdateDay1,
},
want: false,
},
{
name: "DownloadedAt is zero, skip is true, old schema version",
dbFileExists: true,
skip: true,
metadata: metadata.Metadata{
Version: 0,
DownloadedAt: time.Time{}, // zero time
NextUpdate: timeNextUpdateDay1,
},
wantErr: "--skip-db-update cannot be specified with the old DB schema. Local DB: 0, Expected: 2",
want: false,
},
}
for _, tt := range tests {

14
pkg/dependency/parser/gradle/lockfile/parse.go
View File

@@ -34,11 +34,23 @@ func (Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency,
}
name := strings.Join(dep[:2], ":")
version := strings.Split(dep[2], "=")[0] // remove classPaths
version, classPathsString, _ := strings.Cut(dep[2], "=")
classPaths := strings.Split(classPathsString, ",")
dev := true
for _, classPath := range classPaths {
if !strings.HasPrefix(classPath, "test") {
dev = false
break
}
}
pkgs = append(pkgs, ftypes.Package{
ID: dependency.ID(ftypes.Gradle, name, version),
Name: name,
Version: version,
Dev: dev,
Locations: []ftypes.Location{
{
StartLine: lineNum,

27
pkg/dependency/parser/gradle/lockfile/parse_test.go
View File

@@ -25,6 +25,7 @@ func TestParser_Parse(t *testing.T) {
ID: "cglib:cglib-nodep:2.1.2",
Name: "cglib:cglib-nodep",
Version: "2.1.2",
Dev: false,
Locations: []ftypes.Location{
{
StartLine: 4,
@@ -33,9 +34,10 @@ func TestParser_Parse(t *testing.T) {
},
},
{
ID: "org.springframework:spring-asm:3.1.3.RELEASE",
Name: "org.springframework:spring-asm",
Version: "3.1.3.RELEASE",
ID: "junit:junit:4.13.2",
Name: "junit:junit",
Version: "4.13.2",
Dev: true,
Locations: []ftypes.Location{
{
StartLine: 5,
@@ -44,9 +46,10 @@ func TestParser_Parse(t *testing.T) {
},
},
{
ID: "org.springframework:spring-beans:5.0.5.RELEASE",
Name: "org.springframework:spring-beans",
Version: "5.0.5.RELEASE",
ID: "org.springframework:spring-asm:3.1.3.RELEASE",
Name: "org.springframework:spring-asm",
Version: "3.1.3.RELEASE",
Dev: false,
Locations: []ftypes.Location{
{
StartLine: 6,
@@ -54,6 +57,18 @@ func TestParser_Parse(t *testing.T) {
},
},
},
{
ID: "org.springframework:spring-beans:5.0.5.RELEASE",
Name: "org.springframework:spring-beans",
Version: "5.0.5.RELEASE",
Dev: false,
Locations: []ftypes.Location{
{
StartLine: 7,
EndLine: 7,
},
},
},
},
},
{

3
pkg/dependency/parser/gradle/lockfile/testdata/happy.lockfile vendored
View File

@@ -2,7 +2,8 @@
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
cglib:cglib-nodep:2.1.2=testRuntimeClasspath,classpath
junit:junit:4.13.2=testCompileClasspath,testRuntimeClasspath
org.springframework:spring-asm:3.1.3.RELEASE=classpath
org.springframework:spring-beans:5.0.5.RELEASE=compileClasspath, runtimeClasspath
# io.grpc:grpc-api:1.21.1=classpath
empty=
empty=

2
pkg/dependency/parser/julia/manifest/naive_pkg_parser.go
View File

@@ -27,7 +27,7 @@ type naivePkgParser struct {
}
func (parser *naivePkgParser) parse() map[string]pkgPosition {
var currentPkg minPkg = minPkg{}
var currentPkg = minPkg{}
var idx = make(map[string]pkgPosition, 0)
scanner := bufio.NewScanner(parser.r)

3
pkg/dependency/parser/julia/manifest/parse.go
View File

@@ -140,6 +140,9 @@ func decodeDependency(man *primitiveManifest, dep primitiveDependency, metadata
var possibleUuids []string
for _, depName := range possibleDeps {
primDep := man.Dependencies[depName]
if len(primDep) == 0 {
return primitiveDependency{}, xerrors.Errorf("Dependency %q has invalid format (parsed no deps): %s", depName, primDep)
}
if len(primDep) > 1 {
return primitiveDependency{}, xerrors.Errorf("Dependency %q has invalid format (parsed multiple deps): %s", depName, primDep)
}

16
pkg/dependency/parser/julia/manifest/parse_test.go
View File

@@ -17,6 +17,7 @@ func TestParse(t *testing.T) {
file string // Test input file
want []ftypes.Package
wantDeps []ftypes.Dependency
wantErr string
}{
{
name: "Manifest v1.6",
@@ -60,6 +61,16 @@ func TestParse(t *testing.T) {
want: juliaV10FormatPkgs,
wantDeps: juliaV10FormatDeps,
},
{
name: "Manifest file doesn't contain child dependency of another dependency",
file: "testdata/missed-child-dep/Manifest.toml",
wantErr: "has invalid format (parsed no deps)",
},
{
name: "Manifest file contains multiple dependencies with same name",
file: "testdata/multiple-same-deps/Manifest.toml",
wantErr: "has invalid format (parsed multiple deps)",
},
}
for _, tt := range tests {
@@ -68,6 +79,11 @@ func TestParse(t *testing.T) {
require.NoError(t, err)
gotPkgs, gotDeps, err := NewParser().Parse(f)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
return
}
require.NoError(t, err)
sort.Sort(ftypes.Packages(tt.want))

16
pkg/dependency/parser/julia/manifest/testdata/missed-child-dep/Manifest.toml vendored Normal file
View File

@@ -0,0 +1,16 @@
# This file is machine-generated - editing it directly is not advised
[[Base64]]
uuid = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f"
[[Dates]]
deps = ["Printf"]
uuid = "ade2ca70-3891-5945-98fb-dc099432e06a"
[[InteractiveUtils]]
deps = ["Markdown"]
uuid = "b77e0a4c-d291-57a0-90e8-8db25a27a240"
[[LibGit2]]
deps = ["Printf"]
uuid = "76f85450-5226-5b5a-8eaa-529ad045b433"

11
pkg/dependency/parser/julia/manifest/testdata/multiple-same-deps/Manifest.toml vendored Normal file
View File

@@ -0,0 +1,11 @@
# This file is machine-generated - editing it directly is not advised
[[Dates]]
deps = ["Printf"]
uuid = "ade2ca70-3891-5945-98fb-dc099432e06a"
[[Printf]]
uuid = "de0858da-6303-5e67-8744-51eddeeeb8d7"
[[Printf]]
uuid = "de0858da-6303-5e67-8744-51eddeeeb8d8"

176
pkg/dependency/parser/nodejs/bun/parse.go Normal file
View File

@@ -0,0 +1,176 @@
package bun
import (
"fmt"
"io"
"sort"
"strings"
"github.com/go-json-experiment/json"
"github.com/go-json-experiment/json/jsontext"
"github.com/samber/lo"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/dependency"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/set"
xio "github.com/aquasecurity/trivy/pkg/x/io"
xjson "github.com/aquasecurity/trivy/pkg/x/json"
)
type LockFile struct {
Packages map[string]ParsedPackage `json:"packages"`
Workspaces map[string]Workspace `json:"workspaces"`
LockfileVersion int `json:"lockfileVersion"`
}
type Workspace struct {
Name string `json:"name"`
Version string `json:"version"`
Dependencies map[string]string `json:"dependencies"`
DevDependencies map[string]string `json:"devDependencies"`
OptionalDependencies map[string]string `json:"optionalDependencies"`
PeerDependencies map[string]string `json:"peerDependencies"`
}
type ParsedPackage struct {
Identifier string
Meta map[string]any
xjson.Location
}
type Parser struct{}
func NewParser() *Parser {
return &Parser{}
}
func (p *ParsedPackage) UnmarshalJSON(data []byte) error {
var raw []jsontext.Value
if err := json.Unmarshal(data, &raw); err != nil {
return fmt.Errorf("expected package format: %w", err)
}
if len(raw) < 1 {
return fmt.Errorf("invalid package entry: not enough elements: %s", string(data))
}
if err := json.Unmarshal(raw[0], &p.Identifier); err != nil {
return err
}
if len(raw) > 2 {
if err := json.Unmarshal(raw[2], &p.Meta); err != nil {
return err
}
}
return nil
}
func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependency, error) {
var lockFile LockFile
data, err := io.ReadAll(r)
if err != nil {
return nil, nil, xerrors.Errorf("file read error: %w", err)
}
if err = xjson.UnmarshalJSONC(data, &lockFile); err != nil {
return nil, nil, xerrors.Errorf("JSON decode error: %w", err)
}
pkgs := make(map[string]ftypes.Package, len(lockFile.Packages))
deps := make(map[string][]string)
prodDirectDeps := set.New[string]()
devDirectDeps := set.New[string]()
for _, ws := range lockFile.Workspaces {
prodDirectDeps.Append(lo.Keys(ws.Dependencies)...)
prodDirectDeps.Append(lo.Keys(ws.PeerDependencies)...)
prodDirectDeps.Append(lo.Keys(ws.OptionalDependencies)...)
devDirectDeps.Append(lo.Keys(ws.DevDependencies)...)
}
for pkgName, parsed := range lockFile.Packages {
pkgVersion := strings.TrimPrefix(parsed.Identifier, pkgName+"@")
if strings.HasPrefix(pkgVersion, "workspace") {
pkgVersion = lockFile.Workspaces[pkgName].Version
}
pkgId := packageID(pkgName, pkgVersion)
isDirect := prodDirectDeps.Contains(pkgName) || devDirectDeps.Contains(pkgName)
relationship := ftypes.RelationshipIndirect
if _, ok := lockFile.Workspaces[pkgName]; ok {
relationship = ftypes.RelationshipWorkspace
} else if isDirect {
relationship = ftypes.RelationshipDirect
}
newPkg := ftypes.Package{
ID: pkgId,
Name: pkgName,
Version: pkgVersion,
Relationship: relationship,
Dev: true, // Mark all dependencies as Dev. We will handle them later.
Locations: []ftypes.Location{ftypes.Location(parsed.Location)},
}
pkgs[pkgName] = newPkg
var dependsOn []string
if depMap, ok := parsed.Meta["dependencies"].(map[string]any); ok {
dependsOn = lo.Keys(depMap)
}
if len(dependsOn) > 0 {
sort.Strings(dependsOn)
deps[pkgName] = dependsOn
}
}
for _, pkg := range pkgs {
// Workspaces are always prod deps.
if pkg.Relationship == ftypes.RelationshipWorkspace {
pkg.Dev = false
pkgs[pkg.Name] = pkg
continue
}
if pkg.Relationship != ftypes.RelationshipDirect || !prodDirectDeps.Contains(pkg.Name) {
continue
}
walkProdPackages(pkg.Name, pkgs, deps, set.New[string]())
}
depSlice := lo.MapToSlice(deps, func(depName string, dependsOn []string) ftypes.Dependency {
id := pkgs[depName]
dependsOnIDs := make([]string, 0, len(dependsOn))
for _, d := range dependsOn {
dependsOnIDs = append(dependsOnIDs, pkgs[d].ID)
}
return ftypes.Dependency{
ID: id.ID,
DependsOn: dependsOnIDs,
}
})
pkgSlice := lo.Values(pkgs)
sort.Sort(ftypes.Packages(pkgSlice))
sort.Sort(ftypes.Dependencies(depSlice))
return pkgSlice, depSlice, nil
}
// walkProdPackages marks all packages in the dependency tree of the given package as prod packages (Dev == false).
func walkProdPackages(pkgName string, pkgs map[string]ftypes.Package, deps map[string][]string, visited set.Set[string]) {
if visited.Contains(pkgName) {
return
}
// Disable Dev field for prod pkgs.
pkg := pkgs[pkgName]
pkg.Dev = false
pkgs[pkgName] = pkg
visited.Append(pkgName)
for _, dep := range deps[pkgName] {
walkProdPackages(dep, pkgs, deps, visited)
}
}
func packageID(name, version string) string {
return dependency.ID(ftypes.Bun, name, version)
}

57
pkg/dependency/parser/nodejs/bun/parse_test.go Normal file
View File

@@ -0,0 +1,57 @@
package bun
import (
"os"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
)
func TestParse(t *testing.T) {
tests := []struct {
name string
file string // Test input file
want []ftypes.Package
wantDeps []ftypes.Dependency
wantErr string
}{
{
name: "normal",
file: "testdata/bun_happy.lock",
want: normalPkgs,
wantDeps: normalDeps,
},
{
name: "invalid lockfile",
file: "testdata/bun_invalid.lock",
wantErr: "JSON decode error",
},
{
name: "multiple workspaces",
file: "testdata/bun_multiple_ws.lock",
want: multipleWsPkgs,
wantDeps: multipleWsDeps,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
f, err := os.Open(tt.file)
require.NoError(t, err)
defer f.Close()
got, deps, err := NewParser().Parse(f)
if tt.wantErr != "" {
assert.ErrorContains(t, err, tt.wantErr)
return
}
require.NoError(t, err)
assert.Equal(t, tt.want, got)
if tt.wantDeps != nil {
assert.Equal(t, tt.wantDeps, deps)
}
})
}
}

160
pkg/dependency/parser/nodejs/bun/parse_testcase.go Normal file
View File

@@ -0,0 +1,160 @@
package bun
import (
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
)
var (
normalPkgs = []ftypes.Package{
{
ID: "@types/bun@1.2.13",
Name: "@types/bun",
Version: "1.2.13",
Relationship: ftypes.RelationshipDirect,
Dev: true,
Locations: ftypes.Locations{
{
StartLine: 18,
EndLine: 18,
},
},
},
{
ID: "typescript@5.8.3",
Name: "typescript",
Version: "5.8.3",
Relationship: ftypes.RelationshipDirect,
Dev: false,
Locations: ftypes.Locations{
{
StartLine: 24,
EndLine: 24,
},
},
},
{
ID: "zod@3.24.4",
Name: "zod",
Version: "3.24.4",
Relationship: ftypes.RelationshipDirect,
Dev: false,
Locations: ftypes.Locations{
{
StartLine: 28,
EndLine: 28,
},
},
},
{
ID: "@types/node@22.15.18",
Name: "@types/node",
Version: "22.15.18",
Relationship: ftypes.RelationshipIndirect,
Dev: true,
Locations: ftypes.Locations{
{
StartLine: 20,
EndLine: 20,
},
},
},
{
ID: "bun-types@1.2.13",
Name: "bun-types",
Version: "1.2.13",
Relationship: ftypes.RelationshipIndirect,
Dev: true,
Locations: ftypes.Locations{
{
StartLine: 22,
EndLine: 22,
},
},
},
{
ID: "undici-types@6.21.0",
Name: "undici-types",
Version: "6.21.0",
Relationship: ftypes.RelationshipIndirect,
Dev: false,
Locations: ftypes.Locations{
{
StartLine: 26,
EndLine: 26,
},
},
},
}
multipleWsPkgs = []ftypes.Package{
{
ID: "my-app@1.0.0",
Name: "my-app",
Version: "1.0.0",
Relationship: ftypes.RelationshipWorkspace,
Locations: ftypes.Locations{
{
StartLine: 27,
EndLine: 27,
},
},
},
{
ID: "my-lib@1.0.0",
Name: "my-lib",
Version: "1.0.0",
Relationship: ftypes.RelationshipWorkspace,
Locations: ftypes.Locations{
{
StartLine: 29,
EndLine: 29,
},
},
},
{
ID: "chalk@5.0.1",
Name: "chalk",
Version: "5.0.1",
Relationship: ftypes.RelationshipDirect,
Locations: ftypes.Locations{
{
StartLine: 23,
EndLine: 23,
},
},
},
{
ID: "lodash@4.17.21",
Name: "lodash",
Version: "4.17.21",
Relationship: ftypes.RelationshipDirect,
Locations: ftypes.Locations{
{
StartLine: 25,
EndLine: 25,
},
},
},
}
normalDeps = []ftypes.Dependency{
{
ID: "@types/bun@1.2.13",
DependsOn: []string{"bun-types@1.2.13"},
},
{
ID: "@types/node@22.15.18",
DependsOn: []string{"undici-types@6.21.0"},
},
{
ID: "bun-types@1.2.13",
DependsOn: []string{"@types/node@22.15.18"},
},
{
ID: "zod@3.24.4",
DependsOn: []string{"undici-types@6.21.0"},
},
}
multipleWsDeps = []ftypes.Dependency(nil)
)

30
pkg/dependency/parser/nodejs/bun/testdata/bun_happy.lock vendored Normal file
View File

@@ -0,0 +1,30 @@
{
"lockfileVersion": 1,
"workspaces": {
"": {
"name": "buntest",
"devDependencies": {
"@types/bun": "latest",
},
"optionalDependencies": {
"zod": "^3.24.4",
},
"peerDependencies": {
"typescript": "^5",
},
},
},
"packages": {
"@types/bun": ["@types/bun@1.2.13", "", { "dependencies": { "bun-types": "1.2.13" } }, "sha512-u6vXep/i9VBxoJl3GjZsl/BFIsvML8DfVDO0RYLEwtSZSp981kEO1V5NwRcO1CPJ7AmvpbnDCiMKo3JvbDEjAg=="],
"@types/node": ["@types/node@22.15.18", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-v1DKRfUdyW+jJhZNEI1PYy29S2YRxMV5AOO/x/SjKmW0acCIOqmbj6Haf9eHAhsPmrhlHSxEhv/1WszcLWV4cg=="],
"bun-types": ["bun-types@1.2.13", "", { "dependencies": { "@types/node": "*" } }, "sha512-rRjA1T6n7wto4gxhAO/ErZEtOXyEZEmnIHQfl0Dt1QQSB4QV0iP6BZ9/YB5fZaHFQ2dwHFrmPaRQ9GGMX01k9Q=="],
"typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
"undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
"zod": ["zod@3.24.4", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-OdqJE9UDRPwWsrHjLN2F8bPxvwJBK22EHLWtanu0LSYr5YqzsaaW3RMgmjwr8Rypg5k+meEJdSPXJZXE/yqOMg=="],
}
}

3
pkg/dependency/parser/nodejs/bun/testdata/bun_invalid.lock vendored Normal file
View File

@@ -0,0 +1,3 @@
{
"lockfileVersion": "not-a-number",
}

31
pkg/dependency/parser/nodejs/bun/testdata/bun_multiple_ws.lock vendored Normal file
View File

@@ -0,0 +1,31 @@
{
"lockfileVersion": 1,
"workspaces": {
"": {
"name": "buntest",
},
"my-app": {
"name": "my-app",
"version": "1.0.0",
"dependencies": {
"lodash": "4.17.21",
},
},
"my-lib": {
"name": "my-lib",
"version": "1.0.0",
"dependencies": {
"chalk": "5.0.1",
},
},
},
"packages": {
"chalk": ["chalk@5.0.1", "", {}, "sha512-Fo07WOYGqMfCWHOzSXOt2CxDbC6skS/jO9ynEcmpANMoPrD+W1r1K6Vx7iNm+AQmETU1Xr2t+n8nzkV9t6xh3w=="],
"lodash": ["lodash@4.17.21", "", {}, "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="],
"my-app": ["my-app@workspace:my-app"],
"my-lib": ["my-lib@workspace:my-lib"],
}
}

1
pkg/dependency/parser/nodejs/pnpm/parse.go
View File

@@ -245,7 +245,6 @@ func (p *Parser) markRootPkgs(id string, pkgs map[string]ftypes.Package, deps ma
for _, depID := range deps[id].DependsOn {
p.markRootPkgs(depID, pkgs, deps, visited)
}
return
}
func (p *Parser) parseLockfileVersion(lockFile LockFile) float64 {

2
pkg/dependency/parser/rust/cargo/naive_pkg_parser.go
View File

@@ -28,7 +28,7 @@ type naivePkgParser struct {
}
func (parser *naivePkgParser) parse() map[string]pkgPosition {
var currentPkg minPkg = minPkg{}
var currentPkg = minPkg{}
var idx = make(map[string]pkgPosition, 0)
scanner := bufio.NewScanner(parser.r)

2
pkg/detector/library/driver.go
View File

@@ -42,7 +42,7 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
case ftypes.Jar, ftypes.Pom, ftypes.Gradle, ftypes.Sbt:
ecosystem = vulnerability.Maven
comparer = maven.Comparer{}
case ftypes.Npm, ftypes.Yarn, ftypes.Pnpm, ftypes.NodePkg, ftypes.JavaScript:
case ftypes.Npm, ftypes.Yarn, ftypes.Pnpm, ftypes.Bun, ftypes.NodePkg, ftypes.JavaScript:
ecosystem = vulnerability.Npm
comparer = npm.Comparer{}
case ftypes.NuGet, ftypes.DotNetCore, ftypes.PackagesProps:

2
pkg/detector/ospkg/alma/alma_test.go
View File

@@ -162,7 +162,7 @@ func TestScanner_Detect(t *testing.T) {
defer db.Close()
s := alma.NewScanner()
got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs)
got, err := s.Detect(t.Context(), tt.args.osVer, nil, tt.args.pkgs)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
return

68
pkg/detector/ospkg/alpine/alpine.go
View File

@@ -17,41 +17,39 @@ import (
"github.com/aquasecurity/trivy/pkg/types"
)
var (
eolDates = map[string]time.Time{
"2.0": time.Date(2012, 4, 1, 23, 59, 59, 0, time.UTC),
"2.1": time.Date(2012, 11, 1, 23, 59, 59, 0, time.UTC),
"2.2": time.Date(2013, 5, 1, 23, 59, 59, 0, time.UTC),
"2.3": time.Date(2013, 11, 1, 23, 59, 59, 0, time.UTC),
"2.4": time.Date(2014, 5, 1, 23, 59, 59, 0, time.UTC),
"2.5": time.Date(2014, 11, 1, 23, 59, 59, 0, time.UTC),
"2.6": time.Date(2015, 5, 1, 23, 59, 59, 0, time.UTC),
"2.7": time.Date(2015, 11, 1, 23, 59, 59, 0, time.UTC),
"3.0": time.Date(2016, 5, 1, 23, 59, 59, 0, time.UTC),
"3.1": time.Date(2016, 11, 1, 23, 59, 59, 0, time.UTC),
"3.2": time.Date(2017, 5, 1, 23, 59, 59, 0, time.UTC),
"3.3": time.Date(2017, 11, 1, 23, 59, 59, 0, time.UTC),
"3.4": time.Date(2018, 5, 1, 23, 59, 59, 0, time.UTC),
"3.5": time.Date(2018, 11, 1, 23, 59, 59, 0, time.UTC),
"3.6": time.Date(2019, 5, 1, 23, 59, 59, 0, time.UTC),
"3.7": time.Date(2019, 11, 1, 23, 59, 59, 0, time.UTC),
"3.8": time.Date(2020, 5, 1, 23, 59, 59, 0, time.UTC),
"3.9": time.Date(2020, 11, 1, 23, 59, 59, 0, time.UTC),
"3.10": time.Date(2021, 5, 1, 23, 59, 59, 0, time.UTC),
"3.11": time.Date(2021, 11, 1, 23, 59, 59, 0, time.UTC),
"3.12": time.Date(2022, 5, 1, 23, 59, 59, 0, time.UTC),
"3.13": time.Date(2022, 11, 1, 23, 59, 59, 0, time.UTC),
"3.14": time.Date(2023, 5, 1, 23, 59, 59, 0, time.UTC),
"3.15": time.Date(2023, 11, 1, 23, 59, 59, 0, time.UTC),
"3.16": time.Date(2024, 5, 23, 23, 59, 59, 0, time.UTC),
"3.17": time.Date(2024, 11, 22, 23, 59, 59, 0, time.UTC),
"3.18": time.Date(2025, 5, 9, 23, 59, 59, 0, time.UTC),
"3.19": time.Date(2025, 11, 1, 23, 59, 59, 0, time.UTC),
"3.20": time.Date(2026, 04, 1, 23, 59, 59, 0, time.UTC),
"3.21": time.Date(2026, 12, 5, 23, 59, 59, 0, time.UTC),
"edge": time.Date(9999, 1, 1, 0, 0, 0, 0, time.UTC),
}
)
var eolDates = map[string]time.Time{
"2.0": time.Date(2012, 4, 1, 23, 59, 59, 0, time.UTC),
"2.1": time.Date(2012, 11, 1, 23, 59, 59, 0, time.UTC),
"2.2": time.Date(2013, 5, 1, 23, 59, 59, 0, time.UTC),
"2.3": time.Date(2013, 11, 1, 23, 59, 59, 0, time.UTC),
"2.4": time.Date(2014, 5, 1, 23, 59, 59, 0, time.UTC),
"2.5": time.Date(2014, 11, 1, 23, 59, 59, 0, time.UTC),
"2.6": time.Date(2015, 5, 1, 23, 59, 59, 0, time.UTC),
"2.7": time.Date(2015, 11, 1, 23, 59, 59, 0, time.UTC),
"3.0": time.Date(2016, 5, 1, 23, 59, 59, 0, time.UTC),
"3.1": time.Date(2016, 11, 1, 23, 59, 59, 0, time.UTC),
"3.2": time.Date(2017, 5, 1, 23, 59, 59, 0, time.UTC),
"3.3": time.Date(2017, 11, 1, 23, 59, 59, 0, time.UTC),
"3.4": time.Date(2018, 5, 1, 23, 59, 59, 0, time.UTC),
"3.5": time.Date(2018, 11, 1, 23, 59, 59, 0, time.UTC),
"3.6": time.Date(2019, 5, 1, 23, 59, 59, 0, time.UTC),
"3.7": time.Date(2019, 11, 1, 23, 59, 59, 0, time.UTC),
"3.8": time.Date(2020, 5, 1, 23, 59, 59, 0, time.UTC),
"3.9": time.Date(2020, 11, 1, 23, 59, 59, 0, time.UTC),
"3.10": time.Date(2021, 5, 1, 23, 59, 59, 0, time.UTC),
"3.11": time.Date(2021, 11, 1, 23, 59, 59, 0, time.UTC),
"3.12": time.Date(2022, 5, 1, 23, 59, 59, 0, time.UTC),
"3.13": time.Date(2022, 11, 1, 23, 59, 59, 0, time.UTC),
"3.14": time.Date(2023, 5, 1, 23, 59, 59, 0, time.UTC),
"3.15": time.Date(2023, 11, 1, 23, 59, 59, 0, time.UTC),
"3.16": time.Date(2024, 5, 23, 23, 59, 59, 0, time.UTC),
"3.17": time.Date(2024, 11, 22, 23, 59, 59, 0, time.UTC),
"3.18": time.Date(2025, 5, 9, 23, 59, 59, 0, time.UTC),
"3.19": time.Date(2025, 11, 1, 23, 59, 59, 0, time.UTC),
"3.20": time.Date(2026, 4, 1, 23, 59, 59, 0, time.UTC),
"3.21": time.Date(2026, 12, 5, 23, 59, 59, 0, time.UTC),
"edge": time.Date(9999, 1, 1, 0, 0, 0, 0, time.UTC),
}
// Scanner implements the Alpine scanner
type Scanner struct {

2
pkg/detector/ospkg/alpine/alpine_test.go
View File

@@ -251,7 +251,7 @@ func TestScanner_Detect(t *testing.T) {
defer db.Close()
s := alpine.NewScanner()
got, err := s.Detect(nil, tt.args.osVer, tt.args.repo, tt.args.pkgs)
got, err := s.Detect(t.Context(), tt.args.osVer, tt.args.repo, tt.args.pkgs)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
return

2
pkg/detector/ospkg/amazon/amazon_test.go
View File

@@ -177,7 +177,7 @@ func TestScanner_Detect(t *testing.T) {
defer db.Close()
s := amazon.NewScanner()
got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs)
got, err := s.Detect(t.Context(), tt.args.osVer, nil, tt.args.pkgs)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
return

2
pkg/detector/ospkg/azure/azure_test.go
View File

@@ -185,7 +185,7 @@ func TestScanner_Detect(t *testing.T) {
if tt.args.dist == azurevs.Mariner {
s = azure.NewMarinerScanner()
}
got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs)
got, err := s.Detect(t.Context(), tt.args.osVer, nil, tt.args.pkgs)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
return

28
pkg/detector/ospkg/bottlerocket/bottlerocket.go Normal file
View File

@@ -0,0 +1,28 @@
package bottlerocket
import (
"context"
osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
)
// Scanner implements the Bottlerocket scanner
type Scanner struct {
}
// NewScanner is the factory method for Scanner
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(ctx context.Context, _ string, _ *ftypes.Repository, _ []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.InfoContext(ctx, "Vulnerability detection of Bottlerocket packages is currently not supported.")
return nil, nil
}
func (s *Scanner) IsSupportedVersion(ctx context.Context, osFamily ftypes.OSType, osVer string) bool {
return osver.Supported(ctx, nil, osFamily, osver.Minor(osVer))
}

2
pkg/detector/ospkg/chainguard/chainguard_test.go
View File

@@ -194,7 +194,7 @@ func TestScanner_Detect(t *testing.T) {
defer db.Close()
s := chainguard.NewScanner()
got, err := s.Detect(nil, "", tt.args.repo, tt.args.pkgs)
got, err := s.Detect(t.Context(), "", tt.args.repo, tt.args.pkgs)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
return

2
pkg/detector/ospkg/debian/debian_test.go
View File

@@ -115,7 +115,7 @@ func TestScanner_Detect(t *testing.T) {
defer db.Close()
s := debian.NewScanner()
got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs)
got, err := s.Detect(t.Context(), tt.args.osVer, nil, tt.args.pkgs)
if tt.wantErr != "" {
require.ErrorContains(t, err, tt.wantErr)
return

6
pkg/detector/ospkg/detect.go
View File

@@ -11,8 +11,11 @@ import (
"github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/azure"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/bottlerocket"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/chainguard"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/debian"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/echo"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/minimos"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/photon"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat"
@@ -34,6 +37,7 @@ var (
ftypes.Alma: alma.NewScanner(),
ftypes.Amazon: amazon.NewScanner(),
ftypes.Azure: azure.NewAzureScanner(),
ftypes.Bottlerocket: bottlerocket.NewScanner(),
ftypes.CBLMariner: azure.NewMarinerScanner(),
ftypes.Debian: debian.NewScanner(),
ftypes.Ubuntu: ubuntu.NewScanner(),
@@ -48,6 +52,8 @@ var (
ftypes.Photon: photon.NewScanner(),
ftypes.Wolfi: wolfi.NewScanner(),
ftypes.Chainguard: chainguard.NewScanner(),
ftypes.Echo: echo.NewScanner(),
ftypes.MinimOS: minimos.NewScanner(),
}
)

80
pkg/detector/ospkg/echo/echo.go Normal file
View File

@@ -0,0 +1,80 @@
package echo
import (
"context"
version "github.com/knqyf263/go-deb-version"
"golang.org/x/xerrors"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
echoDb "github.com/aquasecurity/trivy-db/pkg/vulnsrc/echo"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scan/utils"
"github.com/aquasecurity/trivy/pkg/types"
)
type Scanner struct {
vs echoDb.VulnSrc
}
func NewScanner() *Scanner {
return &Scanner{
vs: echoDb.NewVulnSrc(),
}
}
func (s *Scanner) Detect(ctx context.Context, _ string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.InfoContext(ctx, "Detecting vulnerabilities...", log.Int("pkg_num", len(pkgs)))
var detectedVulns []types.DetectedVulnerability
for _, pkg := range pkgs {
advisories, err := s.vs.Get("", pkg.SrcName)
if err != nil {
return nil, xerrors.Errorf("failed to get echo advisories: %w", err)
}
formattedInstalledVersion := utils.FormatVersion(pkg)
installedVersion, err := version.NewVersion(formattedInstalledVersion)
if err != nil {
return nil, xerrors.Errorf("failed to parse installed version: %w", err)
}
for _, advisory := range advisories {
vuln := types.DetectedVulnerability{
PkgID: pkg.ID,
VulnerabilityID: advisory.VulnerabilityID,
InstalledVersion: formattedInstalledVersion,
FixedVersion: advisory.FixedVersion,
PkgName: pkg.Name,
PkgIdentifier: pkg.Identifier,
Status: advisory.Status,
Layer: pkg.Layer,
Custom: advisory.Custom,
DataSource: advisory.DataSource,
}
if advisory.Severity != dbTypes.SeverityUnknown {
vuln.SeveritySource = vulnerability.Echo
vuln.Vulnerability = dbTypes.Vulnerability{
Severity: advisory.Severity.String(),
}
}
if advisory.FixedVersion != "" {
fixedVersion, err := version.NewVersion(advisory.FixedVersion)
if err != nil {
return nil, xerrors.Errorf("failed to parse fixed version: %w", err)
}
if !installedVersion.LessThan(fixedVersion) {
continue
}
}
detectedVulns = append(detectedVulns, vuln)
}
}
return detectedVulns, nil
}
// Echo is a rolling distro, meaning there are no versions, and therefor no need to check the version
func (s *Scanner) IsSupportedVersion(_ context.Context, _ ftypes.OSType, _ string) bool {
return true
}

Some files were not shown because too many files have changed in this diff Show More