Prepare for v0.46.0

[knqyf263]

Draft to collaborate on v0.46.0 release announcement

🚀 What's new? 🚀

⎈ KBOM Vulnerability Scanning 🛡️

Trivy now supports scanning for vulnerabilities in the Kubernetes control plane and node components. Instead of using the Kubernetes cluster version, it leverages KBOM to identify individual component versions like kubelet for more accurate detection.

# Generate KBOM first
$ trivy k8s --format cyclonedx cluster -o kbom.json

# Then, scan KBOM for vulnerabilities
$ trivy sbom kbom.json
2023-09-28T22:52:25.707+0300    INFO    Vulnerability scanning is enabled
2023-09-28T22:52:25.707+0300    INFO    Detected SBOM format: cyclonedx-json
2023-09-28T22:52:25.717+0300    WARN    No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2023-09-28T22:52:25.717+0300    WARN    e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2023-09-28T22:52:25.717+0300    INFO    Detected OS: debian gnu/linux
2023-09-28T22:52:25.717+0300    WARN    unsupported os : debian gnu/linux
2023-09-28T22:52:25.717+0300    INFO    Number of language-specific files: 3
2023-09-28T22:52:25.717+0300    INFO    Detecting kubernetes vulnerabilities...
2023-09-28T22:52:25.718+0300    INFO    Detecting gobinary vulnerabilities...

Kubernetes (kubernetes)
=======================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────┐
│    Library     │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version          │                      Title                       │
├────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────┤
│ k8s.io/kubelet │ CVE-2021-25749 │ HIGH     │ fixed  │ 1.24.0            │ 1.22.14, 1.23.11, 1.24.5        │ runAsNonRoot logic bypass for Windows containers │
│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2021-25749       │
│                ├────────────────┼──────────┤        │                   ├─────────────────────────────────┼──────────────────────────────────────────────────┤
│                │ CVE-2023-2431  │ LOW      │        │                   │ 1.24.14, 1.25.9, 1.26.4, 1.27.1 │ Bypass of seccomp profile enforcement            │
│                │                │          │        │                   │                                 │ https://avd.aquasec.com/nvd/cve-2023-2431        │
└────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────┘

The example generates a KBOM and scans it with trivy sbom command. In the future we will add direct cluster scanning through trivy k8s.

This feature is powered by machine-readable Kubernetes security advisories in the OSV format maintained by Aqua Security. Currently supporting only upstream vulnerability data, with plans to cover cloud-provider Kubernetes distributions like EKS and GKE.

🔧 NuGet License Support 📜

Trivy v0.46.0 introduced license information retrieval for .NET projects by supporting *.nuspec files from the global packages directory. The packages.config and packages.lock.json files previously lacked license data. Now, with this update, Trivy can access license info via the default path or the NUGET_PACKAGES environment variable.

$ trivy fs -f json --list-all-pkgs ./packages.lock.json 
2023-09-20T13:50:05.734+0600	INFO	Number of language-specific files: 1
2023-09-20T13:50:05.734+0600	INFO	Detecting nuget vulnerabilities...
2023-09-20T13:50:05.734+0600	DEBUG	Detecting library vulnerabilities, type: nuget, path: packages.lock.json
{
  ...
  "Results": [
    {
      "Target": "packages.lock.json",
      "Class": "lang-pkgs",
      "Type": "nuget",
      "Packages": [
        {
          "ID": "[email protected]",
          "Name": "Newtonsoft.Json",
          "Version": "13.0.3",
          "Licenses": [
            "MIT"
          ],
          "Layer": {},
          "Locations": [
            {
              "StartLine": 5,
              "EndLine": 10
            }
          ]
        }
      ]
    }
  ]
}

🔧 Improvements for Terraform scanning ⎋

• Trivy is now able to handle recursive references for child modules in terraform files (bug(misconf): Hang on recursive terraform module #5121)
• Trivy is now able to identify between local modules and root modules. (fix(terraform): Trivy scans local modules #4988)

🦾 Misconfiguration scanning updates 🔖

The following improvements have been made to IaC misconfiguration checks:

• fix(misconf): Update AVD-AZU-0011 TLS min version #4981
• feat(misconf): Add Support for skip_final_snapshot in RDS clusters #5147
• feat(misconf): Add DeletionProtection for RDS clusters #5112

👷‍♂️ Notable Fixes 🛠️

• fix(terraform): panic when scanning a synthesized TF config using cdktf #5080
• bug(misconf): Fix rendering of map slices in Terraform resource block #5172
• fix(terraform): S3 bucket false positives when using variables #4997
• bug: SARIF URI scheme "git" did not match the checkout URI scheme "file" #5003
• Unable to pass tfvars file #4006
• fix(terraform): Trivy scans local modules #4988