trivy/CHANGELOG.md

Changelog

0.68.1 (2025-12-03)

Bug Fixes

• update cosing settings for GoReleaser after bumping cosing to v3 (#9863) (c7accc8)

0.68.0 (2025-12-02)

Features

• add ArtifactID field to uniquely identify scan targets (#9663) (84a7d9a)
• add ReportID field to scan reports (#9670) (fc976be)
• allow ignoring findings by type in Rego (#9578) (c638fc6)
• aws: Add support for dualstack ECR endpoints (#9862) (e74e2b1)
• cli: Add trivy cloud suppport (#9637) (8e6a7ff)
• db: enable concurrent access to vulnerability database (#9750) (d70d994)
• dotnet: add dependency graph support for .deps.json files (#9726) (18c0ee8)
• flag: add --cacert flag (#9781) (6048173)
• fs: change artifact type to repository when git info is detected (#9613) (cff91ac)
• image: add RepoTags support for Docker archives (#9690) (a9a3031)
• image: add Sigstore bundle SBOM support (#9516) (e1f3f28)
• image: pass global context to docker/podman image save func (#9733) (2690ac9)
• include registry and repository in artifact ID calculation (#9689) (758f271)
• java: add support remote repositories from settings.xml files (#9708) (eff52eb)
• license: use separate SPDX ids to ignore SPDX expressions (#9087) (012f3d7)
• misconf: add agentpools to azure container schema (#9714) (69f400c)
• misconf: Add RoleAssignments attribute (#9396) (3fb8703)
• misconf: Add support for configurable Rego error limit (#9657) (445cd2b)
• misconf: include map key in manifest snippet for diagnostics (#9681) (197c9e1)
• misconf: support https_traffic_only_enabled in Az storage account (#9784) (c8d5ab7)
• misconf: Update AppService schema (#9792) (c6d95d7)
• misconf: Update Azure Compute schema (#9675) (cb58bf6)
• misconf: Update Azure Container Schema (#9673) (43a7546)
• misconf: Update Azure network schema for new checks (#9791) (ea2dc58)
• misconf: Update azure storage schema (#9728) (c3bfecf)
• misconf: Update SecurityCenter schema (#9674) (58819c5)
• report: add fingerprint generation for vulnerabilities (#9794) (cbad9ca)
• report: add image reference to report metadata (#9729) (d020f26)
• report: switch ReportID from UUIDv4 to UUIDv7 (#9749) (6fb3fde)
• sbom: add support for SPDX attestations (#9829) (d8eaaeb)
• sbom: use SPDX license IDs list to validate SPDX IDs (#9569) (35db88c)
• suse: Add new openSUSE, Micro and SLES releases end of life dates (#9788) (019af7f)

Bug Fixes

• add buildInfo for BlobInfo in rpc package (#9608) (6def66e)
• close all opened resources if an error occurs (#9665) (fa6f779)
• flag: remove viper.SetDefault to fix IsSet() for config-only flags (#9732) (bf43629)
• java: update order for resolving package fields from multiple demManagement (#9575) (e286c5e)
• java: use true as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751) (d87d9b9)
• license: don't normalize unlicensed licenses into unlicense (#9611) (09162e5)
• license: handle SPDX WITH exceptions as single license in category detection (#9380) (212f078)
• misconf: ensure boolean metadata values are correctly interpreted (#9770) (a6ceff7)
• misconf: ensure value used as ignore marker is non-null and known (#9835) (7aca801)
• misconf: handle unsupported experimental flags in Dockerfile (#9769) (08d51a8)
• misconf: map healthcheck start period flag to --start-period instead of --startPeriod (#9837) (7b2b4d4)
• nodejs: fix npmjs parser.pkgNameFromPath() panic issue (#9688) (231492d)
• nodejs: use the default ID format to match licenses in pnpm packages. (#9661) (804ea4a)
• os: Add photon 5.0 in supported OS (#9724) (29f0347)
• report: correct field order in SARIF license results (#9712) (d20216e)
• restore compatibility for google.protobuf.Value (#9559) (aeeb2a1)
• sbom: add buildInfo info as properties (#9683) (2c43425)
• sbom: don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562) (fb0593b)
• Trim the end-of-range suffix (#9618) (e18b038)
• update all documentation links (#9777) (738b2b4)
• Use fetch-level: 1 to check out trivy-repo in the release workflow (#9636) (6e53686)
• use context for analyzers (#9538) (b885d3a)
• using SrcVersion instead of Version for echo detector (#9552) (66479f0)
• validate backport branch name (#9548) (f0fd432)
• vex: don't use reused BOM (#9604) (7422cc7)
• vex: use a separate visited set for each DFS path (#9760) (c274f5b)

0.67.0 (2025-09-30)

Features

• add documentation URL for database lock errors (#9531) (eba48af)
• cli: change --list-all-pkgs default to true (#9510) (7b663d8)
• cloudformation: support default values and list results in Fn::FindInMap (#9515) (42b3bf3)
• cyclonedx: preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439) (aff03eb)
• redhat: add os-release detection for RHEL-based images (#9458) (cb25a07)
• sbom: added support for CoreOS (#9448) (6d562a3)
• seal: add seal support (#9370) (e4af279)

Bug Fixes

• aws: use BuildableClient insead of xhttp.Client (#9436) (fa6f1bf)
• close file descriptors and pipes on error paths (#9536) (a4cbd6a)
• db: Dowload database when missing but metadata still exists (#9393) (92ebc7e)
• k8s: disable parallel traversal with fs cache for k8s images (#9534) (c0c7a6b)
• misconf: handle tofu files in module detection (#9486) (bfd2f6b)
• misconf: strip build metadata suffixes from image history (#9498) (c938806)
• misconf: unmark cty values before access (#9495) (8e40d27)
• misconf: wrap legacy ENV values in quotes to preserve spaces (#9497) (267a970)
• nodejs: parse workspaces as objects for package-lock.json files (#9518) (404abb3)
• nodejs: use snapshot string as Package.ID for pnpm packages (#9330) (4517e8c)
• vex: don't suppress vulns for packages with infinity loop (#9465) (78f0d4a)
• vuln: compare nuget package names in lower case (#9456) (1ff9ac7)

0.66.0 (2025-09-02)

Features

• add timeout handling for cache database operations (#9307) (235c24e)
• misconf: added audit config attribute (#9249) (4d4a244)
• secret: implement streaming secret scanner with byte offset tracking (#9264) (5a5e097)
• terraform: use .terraform cache for remote modules in plan scanning (#9277) (298a994)

Bug Fixes

• conda: memory leak by adding closure method for package.json file (#9349) (03d039f)
• create temp file under composite fs dir (#9387) (ce22f54)
• cyclonedx: handle multiple license types (#9378) (46ab76a)
• fs: avoid shadowing errors in file.glob (#9286) (b51c789)
• image: use standardized HTTP client for ECR authentication (#9322) (84fbf86)
• misconf: ensure ignore rules respect subdirectory chart paths (#9324) (d3cd101)
• misconf: ensure module source is known (#9404) (81d9425)
• misconf: preserve original paths of remote submodules from .terraform (#9294) (1319d8d)
• misconf: use correct field log_bucket instead of target_bucket in gcp bucket (#9296) (04ad0c4)
• persistent flag option typo (#9374) (6e99dd3)
• plugin: don't remove plugins when updating index.yaml file (#9358) (5f067ac)
• python: impove package name normalization (#9290) (1473e88)
• repo: preserve RepoMetadata on FS cache hit (#9389) (4f2a44e)
• repo: sanitize git repo URL before inserting into report metadata (#9391) (1ac9b1f)
• sbom: add support for file component type of CycloneDX (#9372) (aa7cf43)
• suppress debug log for context cancellation errors (#9298) (2458d5e)

0.65.0 (2025-07-30)

Features

• add graceful shutdown with signal handling (#9242) (2c05882)
• add HTTP request/response tracing support (#9125) (aa5b32a)
• alma: add AlmaLinux 10 support (#9207) (861d51e)
• flag: add schema validation for --server flag (#9270) (ed4640e)
• image: add Docker context resolution (#9166) (99cd4e7)
• license: observe pkg types option in license scanner (#9091) (d44af8c)
• misconf: add private ip google access attribute to subnetwork (#9199) (263845c)
• misconf: added logging and versioning to the gcp storage bucket (#9226) (110f80e)
• repo: add git repository metadata to reports (#9252) (f4b2cf1)
• report: add CVSS vectors in sarif report (#9157) (60723e6)
• sbom: add SHA-512 hash support for CycloneDX SBOM (#9126) (12d6706)

Bug Fixes

• alma: parse epochs from rpmqa file (#9101) (82db2fc)
• also check filepath when removing duplicate packages (#9142) (4d10a81)
• aws: update amazon linux 2 EOL date (#9176) (0ecfed6)
• cli: Add more non-sensitive flags to telemetry (#9110) (7041a39)
• cli: ensure correct command is picked by telemetry (#9260) (b4ad00f)
• cli: panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206) (adfa879)
• license: add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping (#9116) (a692f29)
• license: handle WITH operator for LaxSplitLicenses (#9232) (b4193d0)
• migrate from *.list to *.md5sums files for dpkg (#9131) (f224de3)
• misconf: correctly adapt azure storage account (#9138) (51aa022)
• misconf: correctly parse empty port ranges in google_compute_firewall (#9237) (77bab7b)
• misconf: fix log bucket in schema (#9235) (7ebc129)
• misconf: skip rewriting expr if attr is nil (#9113) (42ccd3d)
• nodejs: don't use prerelease logic for compare npm constraints (#9208) (fe96436)
• prevent graceful shutdown message on normal exit (#9244) (6095984)
• rootio: check full version to detect root.io packages (#9117) (c2ddd44)
• rootio: fix severity selection (#9181) (6fafbeb)
• sbom: merge in-graph and out-of-graph OS packages in scan results (#9194) (aa944cc)
• sbom: use correct field for licenses in CycloneDX reports (#9057) (143da88)
• secret: add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253) (54832a7)
• secret: fix line numbers for multiple-line secrets (#9104) (e579746)
• server: add HTTP transport setup to server mode (#9217) (1163b04)
• supporting .egg-info/METADATA in python.Packaging analyzer (#9151) (e306e2d)
• terraform: for_each on a map returns a resource for every key (#9156) (153318f)

0.64.0 (2025-06-30)

Features

• cli: add version constraints to annoucements (#9023) (19efa9f)
• java: dereference all maven settings.xml env placeholders (#9024) (5aade69)
• misconf: add OpenTofu file extension support (#8747) (57801d0)
• misconf: normalize CreatedBy for buildah and legacy docker builder (#8953) (65e155f)
• redhat: Add EOL date for RHEL 10. (#8910) (48258a7)
• reject unsupported artifact types in remote image retrieval (#9052) (1e1e1b5)
• sbom: add manufacturer field to CycloneDX tools metadata (#9019) (41d0f94)
• terraform: add partial evaluation for policy templates (#8967) (a9f7dcd)
• ubuntu: add end of life date for Ubuntu 25.04 (#9077) (367564a)
• ubuntu: add eol date for 20.04-ESM (#8981) (87118a0)
• vuln: add Root.io support for container image scanning (#9073) (3a0ec0f)

Bug Fixes

• Add missing version check flags (#8951) (ef5f8de)
• cli: add some values to the telemetry call (#9056) (fd2bc91)
• Correctly check for semver versions for trivy version check (#8948) (b813527)
• don't show corrupted trivy-db warning for first run (#8991) (4ed78e3)
• misconf: .Config.User always takes precedence over USER in .History (#9050) (371b8cc)
• misconf: correct Azure value-to-time conversion in AsTimeValue (#9015) (40d017b)
• misconf: move disabled checks filtering after analyzer scan (#9002) (a58c36d)
• misconf: reduce log noise on incompatible check (#9029) (99c5151)
• nodejs: correctly parse packages array of bun.lock file (#8998) (875ec3a)
• report: don't panic when report contains vulns, but doesn't contain packages for table format (#8549) (87fda76)
• sbom: remove unnecessary OS detection check in SBOM decoding (#9034) (198789a)

0.63.0 (2025-05-29)

Features

• add Bottlerocket OS package analyzer (#8653) (07ef63b)
• add JSONC support for comments and trailing commas (#8862) (0b0e406)
• alpine: add maintainer field extraction for APK packages (#8930) (104bbc1)
• cli: Add available version checking (#8553) (5a0bf9e)
• echo: Add Echo Support (#8833) (c7b8cc3)
• go: support license scanning in both GOPATH and vendor (#8843) (26437be)
• k8s: get components from namespaced resources (#8918) (4f1ab23)
• license: improve work text licenses with custom classification (#8888) (ee52230)
• license: improve work with custom classification of licenses from config file (#8861) (c321fdf)
• license: scan vendor directory for license for go.mod files (#8689) (dd6a6e5)
• license: Support compound licenses (licenses using SPDX operators) (#8816) (39f9ed1)
• minimos: Add support for MinimOS (#8792) (c2dde33)
• misconf: add misconfiguration location to junit template (#8793) (a516775)
• misconf: Add support for Minimum Trivy Version (#8880) (3b2a397)
• misconf: export raw Terraform data to Rego (#8741) (aaecc29)
• nodejs: add a bun.lock analyzer (#8897) (7ca656d)
• nodejs: add bun.lock parser (#8851) (1dcf816)
• terraform parser option to set current working directory (#8909) (8939451)

Bug Fixes

• check post-analyzers for StaticPaths (#8904) (93e6680)
• cli: disable --skip-dir and --skip-files flags for sbom command (#8886) (69a5fa1)
• cli: don't use allow values for --compliance flag (#8881) (35e8889)
• filter all files when processing files installed from package managers (#8842) (6ebde88)
• java: exclude dev dependencies in gradle lockfile (#8803) (8995838)
• julia parser panicing (#8883) (be8c7b7)
• julia: add Relationship field support (#8939) (22f040f)
• k8s: use in-memory cache backend during misconfig scanning (#8873) (fe12771)
• misconf: check if for-each is known when expanding dyn block (#8808) (5706603)
• misconf: use argument value in WithIncludeDeprecatedChecks (#8942) (7e9a54c)
• more revive rules (#8814) (3ab459e)
• octalLiteral from go-critic (#8811) (a19e0aa)
• redhat: Also try to find buildinfo in root layer (layer 0) (#8924) (906b037)
• redhat: save contentSets for OS packages in fs/vm modes (#8820) (9256804)
• redhat: trim invalid suffix from content_sets in manifest parsing (#8818) (fa1077b)
• server: add missed Relationship field for rpc (#8872) (38f17c9)
• use-any from revive (#8810) (883c63b)
• vex: use lo.IsNil to check VEX from OCI artifact (#8858) (e97af98)
• wolfi: support new APK database location (#8937) (b15d9a6)

Performance Improvements

• secret: only match secrets of meaningful length, allow example strings to not be matched (#8602) (60fef1b)

0.62.0 (2025-04-30)

Features

• image: save layers metadata into report (#8394) (a95cab0)
• misconf: add option to pass Rego scanner to IaC scanner (#8369) (890a360)
• misconf: convert AWS managed policy to document (#8757) (7abf5f0)
• misconf: support auto_provisioning_defaults in google_container_cluster (#8705) (9792611)
• nodejs: add root and workspace for yarn packages (#8535) (bf4cd4f)
• rust: add root and workspace relationships/package for cargo lock files (#8676) (93efe07)

Bug Fixes

• early-return, indent-error-flow and superfluous-else rules from revive (#8796) (43350dd)
• k8s: correct compare artifact versions (#8682) (cc47711)
• k8s: remove using last-applied-configuration (#8791) (7a58ccb)
• k8s: skip passed misconfigs for the summary report (#8684) (bff0e9b)
• misconf: add missing variable as unknown (#8683) (9dcd06f)
• misconf: check if metadata is not nil (#8647) (b7dfd64)
• misconf: filter null nodes when parsing json manifest (#8785) (e10929a)
• misconf: perform operations on attribute safely (#8774) (3ce7d59)
• misconf: populate context correctly for module instances (#8656) (efd177b)
• report: clean buffer after flushing (#8725) (9a5383e)
• secret: ignore .dist-info directories during secret scanning (#8646) (a032ad6)
• server: fix redis key when trying to delete blob (#8649) (36f8d0f)
• terraform: evaluateStep to correctly set EvalContext for multiple instances of blocks (#8555) (e25de25)
• terraform: hcl object expressions to return references (#8271) (0d3efa5)
• testifylint last issues (#8768) (ee4f7dc)
• unused-parameter rule from revive (#8794) (6562082)

0.61.0 (2025-03-28)

Features

• fs: optimize scanning performance by direct file access for known paths (#8525) (8bf6caf)
• k8s: add support for controllers (#8614) (1bf0117)
• misconf: adapt aws_default_security_group (#8538) (b57eccb)
• misconf: adapt aws_opensearch_domain (#8550) (9913465)
• misconf: adapt AWS::DynamoDB::Table (#8529) (8112cdf)
• misconf: adapt AWS::EC2::VPC (#8534) (0d9865f)
• misconf: Add support for aws_ami (#8499) (573502e)
• replace TinyGo with standard Go for WebAssembly modules (#8496) (529957e)

Bug Fixes

• debian: don't include empty licenses for dpkgs (#8623) (346f5b3)
• fs: check postAnalyzers for StaticPaths (#8543) (c228307)
• k8s: show report for --report all (#8613) (dbb6f28)
• misconf: add ephemeral block type to config schema (#8513) (41512f8)
• misconf: Check values wholly prior to evalution (#8604) (ad58cf4)
• misconf: do not skip loading documents from subdirectories (#8526) (de7eb13)
• misconf: do not use cty.NilVal for non-nil values (#8567) (400a79c)
• misconf: identify the chart file exactly by name (#8590) (ba77dbe)
• misconf: Improve logging for unsupported checks (#8634) (5b7704d)
• misconf: set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548) (1f05b45)
• misconf: skip Azure CreateUiDefinition (#8503) (c7814f1)
• spdx: save text licenses into otherLicenses without normalize (#8502) (e5072f1)
• use --file-patterns flag for all post analyzers (#7365) (8b88238)

Performance Improvements

• misconf: parse input for Rego once (#8483) (0e5e909)
• misconf: retrieve check metadata from annotations once (#8478) (7b96351)

0.60.0 (2025-03-05)

Features

• add --vuln-severity-source flag (#8269) (d464807)
• add report summary table (#8177) (dd54f80)
• cyclonedx: Add initial support for loading external VEX files from SBOM references (#8254) (4820eb7)
• go: fix parsing main module version for go >= 1.24 (#8433) (e58dcfc)
• misconf: render causes for Terraform (#8360) (a99498c)

Bug Fixes

• db: fix case when 2 trivy-db were copied at the same time (#8452) (bb3cca6)
• don't use scope for trivy registry login command (#8393) (8715e5d)
• go: merge nested flags into string for ldflags for Go binaries (#8368) (b675b06)
• image: disable AVD-DS-0007 for history scanning (#8366) (a3cd693)
• k8s: add missed option PkgRelationships (#8442) (f987e41)
• misconf: do not log scanners when misconfig scanning is disabled (#8345) (5695eb2)
• misconf: ecs include enhanced for container insights (#8326) (39789ff)
• misconf: fix incorrect k8s locations due to JSON to YAML conversion (#8073) (a994453)
• os: add mapping OS aliases (#8466) (6b4cebe)
• python: add poetry v2 support (#8323) (10cd98c)
• report: remove html escaping for shortDescription and fullDescription fields for sarif reports (#8344) (3eb0b03)
• sbom: add SBOM file's filePath as Application FilePath if we can't detect its path (#8346) (ecc01bb)
• sbom: improve logic for binding direct dependency to parent component (#8489) (85cca8c)
• sbom: preserve OS packages from multiple SBOMs (#8325) (bd5baaf)
• server: secrets inspectation for the config analyzer in client server mode (#8418) (a1c4bd7)
• spdx: init pkgFilePaths map for all formats (#8380) (72ea4b0)
• terraform: apply parser options to submodule parsing (#8377) (398620b)
• update all documentation links (#8045) (49456ba)

0.59.0 (2025-01-30)

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#8070) (da17dc7)
• add a examples field to check metadata (#8068) (6d84e0c)
• add support for registry mirrors (#8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#8278) (b5062f3)
• image: prevent scanning oversized container images (#8178) (509e030)
• image: return error early if total size of layers exceeds limit (#8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#7989) (7389961)
• python: add support for poetry dev dependencies (#8152) (774e04d)
• python: add support for uv (#8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#8060) (51f2123)
• improve conversion of image config to Dockerfile (#8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#8095) (f5e4291)
• misconf: allow null values only for tf variables (#8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#8284) (0a3887c)
• misconf: use log instead of fmt for logging (#8033) (07b2d7f)
• oracle: add architectures support for advisories (#4809) (90f1d8d)
• python: skip dev group's deps for poetry (#8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#8222) (f352f6b)
• redhat: correct rewriting of recommendations for the same vulnerability (#8063) (4202c4b)
• respect GITHUB_TOKEN to download artifacts from GHCR (#7580) (21b68e1)
• sbom: attach nested packages to Application (#8144) (735335f)
• sbom: fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052) (fd07074)
• sbom: scan results of SBOMs generated from container images are missing layers (#7635) (f9fceb5)
• sbom: use root package for unknown dependencies (if exists) (#8104) (7558df7)
• spdx: use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#8077) (aec8885)
• suse: SUSE - update OSType constants and references for compatility (#8236) (ae28398)
• Updated twitter icon (#7772) (2c41ac8)
• wasm module test (#8099) (2200f38)

Performance Improvements

• avoid heap allocation in applier findPackage (#7883) (9bd6ed7)

0.58.0 (2024-12-02)

Features

• add workspaceRelationship (#7889) (d622ca2)
• add cvss v4 score and vector in scan response (#7968) (e0f2054)
• go: construct dependencies in the parser (#7973) (bcdc0bb)
• go: construct dependencies of go.mod main module in the parser (#7977) (5448ba2)
• k8s: add default commands for unknown platform (#7863) (b1c7f55)
• misconf: log causes of HCL file parsing errors (#7634) (e9a899a)
• oracle: add flavors support (#7858) (b9b383e)
• secret: Add built-in secrets rules for Private Packagist (#7826) (132d9df)
• suse: Align SUSE/OpenSUSE OS Identifiers (#7965) (45d3b40)
• Update registry fallbacks (#7679) (5ba9a83)

Bug Fixes

• alpine: add UID for removed packages (#7887) (07915da)
• aws: change CPU and Memory type of ContainerDefinition to a string (#7995) (aeeba70)
• cli: Handle empty ignore files more gracefully (#7962) (4cfb2a9)
• debian: infinite loop (#7928) (d982e6a)
• fs: add missing defered Cleanup() call to post analyzer fs (#7882) (ab32297)
• Improve version comparisons when build identifiers are present (#7873) (eda4d76)
• k8s: check all results for vulnerabilities (#7946) (797b36f)
• misconf: do not erase variable type for child modules (#7941) (de3b7ea)
• misconf: handle null properties in CloudFormation templates (#7813) (99b2db3)
• misconf: load full Terraform module (#7925) (fbc42a0)
• misconf: properly resolve local Terraform cache (#7983) (fe3a897)
• misconf: Update trivy-checks default repo to mirror.gcr.io (#7953) (9988147)
• misconf: wrap AWS EnvVar to iac types (#7407) (54130dc)
• redhat: don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files (#7912) (38775a5)
• report: handle git@github.com schema for misconfigs in sarif report (#7898) (19aea4b)
• sbom: Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871) (461a68a)
• terraform: set null value as fallback for missing variables (#7669) (611558e)

0.57.0 (2024-10-31)

⚠ BREAKING CHANGES

• k8s: support k8s multi container (#7444)

Features

• add end of life date for Ubuntu 24.10 (#7787) (ad3c09e)
• cli: add trivy auth (#7664) (27117f8)
• cli: error out when ignore file cannot be found (#7624) (cb0b3a9)
• cli: rename trivy auth to trivy registry (#7727) (633a7ab)
• cyclonedx: add file checksums to CycloneDX reports (#7507) (c225883)
• db: append errors (#7843) (5e78b6c)
• misconf: export unresolvable field of IaC types to Rego (#7765) (9514148)
• misconf: public network support for Azure Storage Account (#7601) (ad91412)
• misconf: Show misconfig ID in output (#7762) (f75c0d1)
• misconf: ssl_mode support for GCP SQL DB instance (#7564) (2eaa17e)
• parser: ignore white space in pom.xml files (#7747) (a7baa93)
• report: update gitlab template to populate operating_system value (#7735) (c0d79fa)

Bug Fixes

• cli: clean --all deletes only relevant dirs (#7704) (672e886)
• cli: add config name to skip-policy-update alias (#7820) (b661d68)
• db: fix javadb downloading error handling (#7642) (2c87f0c)
• enable usestdlibvars linter (#7770) (57e24aa)
• go: Do not trim v prefix from versions in Go Mod Analyzer (#7733) (e872ec0)
• helm: properly handle multiple archived dependencies (#7782) (6fab88d)
• java: correctly inherit version and scope from upper/root depManagement and dependencies into parents (#7541) (778df82)
• k8s: skip resources without misconfigs (#7797) (7882776)
• k8s: support k8s multi container (#7444) (c434775)
• k8s: support kubernetes v1.31 (#7810) (7a4f4d8)
• license: fix license normalization for Universal Permissive License (#7766) (f6acdf7)
• misconf: change default ACL of digitalocean_spaces_bucket to private (#7577) (9da84f5)
• misconf: check if property is not nil before conversion (#7578) (c8c14d3)
• misconf: fix for Azure Storage Account network acls adaptation (#7602) (35fd018)
• misconf: properly expand dynamic blocks (#7612) (8d5dbc9)
• redhat: include arch in PURL qualifiers (#7654) (a585e95)
• repo: git clone output to Stderr (#7561) (fdf203c)
• report: Fix invalid URI in SARIF report (#7645) (015bb88)
• sbom: add options for DBs in private registries (#7660) (1f2e91b)
• sbom: use Annotation instead of AttributionTexts for SPDX formats (#7811) (f2bb9c6)

0.56.0 (2024-10-03)

Features

• java: add empty versions if pom.xml dependency versions can't be detected (#7520) (b836232)
• license: improve license normalization (#7131) (6472e3c)
• misconf: add ability to disable checks by ID (#7536) (ef0a27d)
• misconf: Register checks only when needed (#7435) (f768d3a)
• misconf: Support --skip-* for all included modules (#7579) (c0e8da3)
• secret: enhance secret scanning for python binary files (#7223) (60725f8)
• support multiple DB repositories for vulnerability and Java DB (#7605) (3562529)
• support RPM archives (#7628) (69bf7e0)
• suse: added SUSE Linux Enterprise Micro support (#7294) (efdb68d)

Bug Fixes

• allow access to '..' in mapfs (#7575) (a8fbe46)
• db: check DownloadedAt for trivy-java-db (#7592) (13ef3e7)
• java: use dependencyManagement from root/child pom's for dependencies from parents (#7497) (5442949)
• license: stop spliting a long license text (#7336) (4926da7)
• misconf: Disable deprecated checks by default (#7632) (82e2adc)
• misconf: disable DS016 check for image history analyzer (#7540) (de40df9)
• misconf: escape all special sequences (#7558) (ea0cf03)
• misconf: Fix logging typo (#7473) (56db43c)
• misconf: Fixed scope for China Cloud (#7560) (37d549e)
• misconf: not to warn about missing selectors of libraries (#7638) (fcaea74)
• oracle: Update EOL date for Oracle 7 (#7480) (dd0a64a)
• report: change a receiver of MarshalJSON (#7483) (927c6e0)
• report: fix error with unmarshal of ExperimentalModifiedFindings (#7463) (7ff9aff)
• sbom: export bom-ref when converting a package to a component (#7340) (5dd94eb)
• sbom: parse type framework as library when unmarshalling CycloneDX files (#7527) (aeb7039)
• secret: change grafana token regex to find them without unquoted (#7627) (3e1fa21)

Performance Improvements

• misconf: use port ranges instead of enumeration (#7549) (1f9fc13)

Reverts

• java: stop supporting of test scope for pom.xml files (#7488) (b0222fe)

0.55.0 (2024-09-03)

⚠ BREAKING CHANGES

• cli: delete deprecated SBOM flags (#7266)

Features

• cli: delete deprecated SBOM flags (#7266) (7024572)
• go: use toolchain as stdlib version for go.mod files (#7163) (2d80769)
• java: add test scope support for pom.xml files (#7414) (2d97700)
• misconf: Add support for using spec from on-disk bundle (#7179) (be86126)
• misconf: ignore duplicate checks (#7317) (9ef05fc)
• misconf: iterator argument support for dynamic blocks (#7236) (fe92072)
• misconf: port and protocol support for EC2 networks (#7146) (98e136e)
• misconf: scanning support for YAML and JSON (#7311) (efdbd8f)
• misconf: support for ignore by nested attributes (#7205) (44e4686)
• misconf: support for policy and bucket grants (#7284) (a817fae)
• misconf: variable support for Terraform Plan (#7228) (db2c955)
• python: use minimum version for pip packages (#7348) (e9b43f8)
• report: export modified findings in JSON (#7383) (7aea79d)
• sbom: set User-Agent header on requests to Rekor (#7396) (af1d257)
• server: add internal --path-prefix flag for client/server mode (#7321) (24a4563)
• server: Make Trivy Server Multiplexer Exported (#7389) (4c6e8ca)
• vm: Support direct filesystem (#7058) (45b3f34)
• vm: support the Ext2/Ext3 filesystems (#6983) (35c60f0)
• vuln: Add --detection-priority flag for accuracy tuning (#7288) (fd8348d)

Bug Fixes

• aws: handle ECR repositories in different regions (#6217) (feaef96)
• flag: incorrect behavior for deprected flag --clear-cache (#7281) (2a0e529)
• helm: explicitly define kind and apiVersion of volumeClaimTemplate element (#7362) (da4ebfa)
• java: Return error when trying to find a remote pom to avoid segfault (#7275) (49d5270)
• license: add license handling to JUnit template (#7409) (f80183c)
• logger initialization before flags parsing (#7372) (c929290)
• misconf: change default TLS values for the Azure storage account (#7345) (aadb090)
• misconf: do not filter Terraform plan JSON by name (#7406) (9d7264a)
• misconf: do not recreate filesystem map (#7416) (3a5d091)
• misconf: do not register Rego libs in checks registry (#7420) (a5aa63e)
• misconf: do not set default value for default_cache_behavior (#7234) (f0ed5e4)
• misconf: fix infer type for null value (#7424) (0cac3ac)
• misconf: init frameworks before updating them (#7376) (b65b32d)
• misconf: load only submodule if it is specified in source (#7112) (a4180bd)
• misconf: support deprecating for Go checks (#7377) (2a6c7ab)
• misconf: use module to log when metadata retrieval fails (#7405) (0799770)
• misconf: wrap Azure PortRange in iac types (#7357) (c5c62d5)
• nodejs: check all importers to detect dev deps from pnpm-lock.yaml file (#7387) (fd9ed3a)
• plugin: do not call GitHub content API for releases and tags (#7274) (b3ee6da)
• report: escape Message field in asff.tpl template (#7401) (dd9733e)
• safely check if the directory exists (#7353) (05a8297)
• sbom: use NOASSERTION for licenses fields in SPDX formats (#7403) (c96dcdd)
• secret: use .eyJ keyword for JWT secret (#7410) (bf64003)
• secret: use only line with secret for long secret lines (#7412) (391448a)
• terraform: add aws_region name to presets (#7184) (bb2e26a)

Performance Improvements

• misconf: do not convert contents of a YAML file to string (#7292) (85dadf5)
• misconf: optimize work with context (#6968) (2b6d8d9)
• misconf: use json.Valid to check validity of JSON (#7308) (c766831)

0.54.0 (2024-07-30)

Features

• add log.FilePath() function for logger (#7080) (1f5f348)
• add openSUSE tumbleweed detection and scanning (#6965) (17b5dbf)
• cli: rename --vuln-type flag to --pkg-types flag (#7104) (7cbdb0a)
• mariner: Add support for Azure Linux (#7186) (5cbc452)
• misconf: enabled China configuration for ACRs (#7156) (d1ec89d)
• nodejs: add license parser to pnpm analyser (#7036) (03ac93d)
• sbom: add image labels into SPDX and CycloneDX reports (#7257) (4a2f492)
• sbom: add vulnerability support for SPDX formats (#7213) (efb1f69)
• share build-in rules (#7207) (bff317c)
• vex: retrieve VEX attestations from OCI registries (#7249) (c2fd2e0)
• vex: VEX Repository support (#7206) (88ba460)
• vuln: add --pkg-relationships (#7237) (5c37361)

Bug Fixes

• Add dependencyManagement exclusions to the child exclusions (#6969) (dc68a66)
• add missing platform and type to spec (#7149) (c8a7abd)
• cli: error on missing config file (#7154) (7fa5e7d)
• close file when failed to open gzip (#7164) (2a577a7)
• dotnet: don't include non-runtime libraries into report for *.deps.json files (#7039) (5bc662b)
• dotnet: show nuget package dir not found log only when checking nuget packages (#7194) (d76feba)
• ignore nodes when listing permission is not allowed (#7107) (25f8143)
• java: avoid panic if deps from pom in it dir are not found (#7245) (4e54a7e)
• java: use go-mvn-version to remove Package duplicates (#7088) (a7a304d)
• misconf: do not evaluate TF when a load error occurs (#7109) (f27c236)
• nodejs: detect direct dependencies when using latest version for files yarn.lock + package.json (#7110) (54bb8bd)
• report: hide empty table when all secrets/license/misconfigs are ignored (#7171) (c3036de)
• secret: skip regular strings contain secret patterns (#7182) (174b1e3)
• secret: trim excessively long lines (#7192) (92b13be)
• secret: update length of hugging-face-access-token (#7216) (8c87194)
• server: pass license categories to options (#7203) (9d52018)

Performance Improvements

• debian: use bytes.Index in emptyLineSplit to cut allocation (#7065) (acbec05)

0.53.0 (2024-07-01)

⚠ BREAKING CHANGES

• k8s: node-collector dynamic commands support (#6861)
• add clean subcommand (#6993)
• aws: Remove aws subcommand (#6995)

Features

• add clean subcommand (#6993) (8d0ae1f)
• Add local ImageID to SARIF metadata (#6522) (f144e91)
• add memory cache backend (#7048) (55ccd06)
• aws: Remove aws subcommand (#6995) (979e118)
• conda: add licenses support for environment.yml files (#6953) (654217a)
• dart: use first version of constraint for dependencies using SDK version (#6239) (042d6b0)
• image: Set User-Agent header for Trivy container registry requests (#6868) (9b31697)
• java: add support for maven-metadata.xml files for remote snapshot repositories. (#6950) (1f8fca1)
• java: add support for sbt projects using sbt-dependency-lock (#6882) (f18d035)
• k8s: node-collector dynamic commands support (#6861) (8d618e4)
• misconf: add metadata to Cloud schema (#6831) (02d5404)
• misconf: add support for AWS::EC2::SecurityGroupIngress/Egress (#6755) (55fa610)
• misconf: API Gateway V1 support for CloudFormation (#6874) (8491469)
• misconf: support of selectors for all providers for Rego (#6905) (bc3741a)
• php: add installed.json file support (#4865) (edc556b)
• plugin: add support for nested archives (#6845) (622c67b)
• sbom: migrate to CycloneDX v1.6 (#6903) (09e50ce)

Bug Fixes

• c: don't skip conan files from file-patterns and scan .conan2 cache dir (#6949) (38b35dd)
• cli: show info message only when --scanners is available (#7032) (e9fc3e3)
• cyclonedx: trim non-URL info for advisory.url (#6952) (417212e)
• debian: take installed files from the origin layer (#6849) (089b953)
• image: parse image.inspect.Created field only for non-empty values (#6948) (0af5730)
• license: return license separation using separators ,, or, etc. (#6916) (52f7aa5)
• misconf: fix caching of modules in subdirectories (#6814) (0bcfedb)
• misconf: fix parsing of engine links and frameworks (#6937) (ec68c9a)
• misconf: handle source prefix to ignore (#6945) (c3192f0)
• misconf: parsing numbers without fraction as int (#6834) (8141a13)
• nodejs: fix infinite loop when package link from package-lock.json file is broken (#6858) (cf5aa33)
• nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (7d083bc)
• plugin: respect --insecure (#7022) (3d02a31)
• purl: add missed os types (#6955) (2d85a00)
• python: compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852) (faa9d92)
• sbom: don't overwrite srcEpoch when decoding SBOM files (#6866) (04af59c)
• sbom: fix panic when scanning SBOM file without root component into SBOM format (#7051) (3d4ae8b)
• sbom: take pkg name from purl for maven pkgs (#7008) (a76e328)
• sbom: use purl for bitnami pkg names (#6982) (7eabb92)
• sbom: use package UIDs for uniqueness (#7042) (14d71ba)
• secret: Asymmetric Private Key shouldn't start with space (#6867) (bb26445)
• suse: Add SLES 15.6 and Leap 15.6 (#6964) (5ee4e9d)
• use embedded when command path not found (#7037) (137c916)

0.52.0 (2024-06-03)

Features

• Add Julia language analyzer support (#5635) (fecafb1)
• add support for plugin index (#6674) (26faf8f)
• misconf: Add support for deprecating a check (#6664) (88702cf)
• misconf: add Terraform 'removed' block to schema (#6640) (b7a0a13)
• misconf: register builtin Rego funcs from trivy-checks (#6616) (7c22ee3)
• misconf: resolve tf module from OpenTofu compatible registry (#6743) (ac74520)
• misconf: support for VPC resources for inbound/outbound rules (#6779) (349caf9)
• misconf: support symlinks inside of Helm archives (#6621) (4eae37c)
• nodejs: add v9 pnpm lock file support (#6617) (1e08648)
• plugin: specify plugin version (#6683) (d6dc567)
• python: add license support for requirement.txt files (#6782) (29615be)
• python: add line number support for requirement.txt files (#6729) (2bc54ad)
• report: Include licenses and secrets filtered by rego to ModifiedFindings (#6483) (fa3cf99)
• vex: improve relationship support in CSAF VEX (#6735) (a447f6b)
• vex: support non-root components for products in OpenVEX (#6728) (9515695)

Bug Fixes

• clean up golangci lint configuration (#6797) (62de6f3)
• cli: always output fatal errors to stderr (#6827) (c2b9132)
• close APKINDEX archive file (#6672) (5caf437)
• close settings.xml (#6768) (9c3e895)
• close testfile (#6830) (aa0c413)
• conda: add support pip deps for environment.yml files (#6675) (150a773)
• go: add only non-empty root modules for gobinaries (#6710) (c96f2a5)
• go: include only .version|.ver (no prefixes) ldflags for gobinaries (#6705) (afb4f9d)
• Golang version parsing from binaries w/GOEXPERIMENT (#6696) (696f2ae)
• include packages unless it is not needed (#6765) (56dbe1f)
• misconf: don't shift ignore rule related to code (#6708) (39a746c)
• misconf: skip Rego errors with a nil location (#6638) (a2c522d)
• misconf: skip Rego errors with a nil location (#6666) (a126e10)
• node-collector high and critical cves (#6707) (ff32deb)
• plugin: initialize logger (#6836) (728e77a)
• python: add package name and version validation for requirements.txt files. (#6804) (ea3a124)
• report: hide empty tables if all vulns has been filtered (#6352) (3d388d8)
• sbom: fix panic for convert mode when scanning json file derived from sbom file (#6808) (f92ea09)
• use of specified context to obtain cluster name (#6645) (39ebed4)

Performance Improvements

• misconf: parse rego input once (#6615) (67c6b1d)